CONSTITUTION.html

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="pandoc" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
  <title>CONSTITUTION</title>
  <style>
    /* Default styles provided by pandoc.
    ** See https://pandoc.org/MANUAL.html#variables-for-html for config info.
    */
    html {
      color: #1a1a1a;
      background-color: #fdfdfd;
    }
    body {
      margin: 0 auto;
      max-width: 36em;
      padding-left: 50px;
      padding-right: 50px;
      padding-top: 50px;
      padding-bottom: 50px;
      hyphens: auto;
      overflow-wrap: break-word;
      text-rendering: optimizeLegibility;
      font-kerning: normal;
    }
    @media (max-width: 600px) {
      body {
        font-size: 0.9em;
        padding: 12px;
      }
      h1 {
        font-size: 1.8em;
      }
    }
    @media print {
      html {
        background-color: white;
      }
      body {
        background-color: transparent;
        color: black;
        font-size: 12pt;
      }
      p, h2, h3 {
        orphans: 3;
        widows: 3;
      }
      h2, h3, h4 {
        page-break-after: avoid;
      }
    }
    p {
      margin: 1em 0;
    }
    a {
      color: #1a1a1a;
    }
    a:visited {
      color: #1a1a1a;
    }
    img {
      max-width: 100%;
    }
    svg {
      height: auto;
      max-width: 100%;
    }
    h1, h2, h3, h4, h5, h6 {
      margin-top: 1.4em;
    }
    h5, h6 {
      font-size: 1em;
      font-style: italic;
    }
    h6 {
      font-weight: normal;
    }
    ol, ul {
      padding-left: 1.7em;
      margin-top: 1em;
    }
    li > ol, li > ul {
      margin-top: 0;
    }
    blockquote {
      margin: 1em 0 1em 1.7em;
      padding-left: 1em;
      border-left: 2px solid #e6e6e6;
      color: #606060;
    }
    code {
      white-space: pre-wrap;
      font-family: Menlo, Monaco, Consolas, 'Lucida Console', monospace;
      font-size: 85%;
      margin: 0;
      hyphens: manual;
    }
    pre {
      margin: 1em 0;
      overflow: auto;
    }
    pre code {
      padding: 0;
      overflow: visible;
      overflow-wrap: normal;
    }
    .sourceCode {
     background-color: transparent;
     overflow: visible;
    }
    hr {
      border: none;
      border-top: 1px solid #1a1a1a;
      height: 1px;
      margin: 1em 0;
    }
    table {
      margin: 1em 0;
      border-collapse: collapse;
      width: 100%;
      overflow-x: auto;
      display: block;
      font-variant-numeric: lining-nums tabular-nums;
    }
    table caption {
      margin-bottom: 0.75em;
    }
    tbody {
      margin-top: 0.5em;
      border-top: 1px solid #1a1a1a;
      border-bottom: 1px solid #1a1a1a;
    }
    th {
      border-top: 1px solid #1a1a1a;
      padding: 0.25em 0.5em 0.25em 0.5em;
    }
    td {
      padding: 0.125em 0.5em 0.25em 0.5em;
    }
    header {
      margin-bottom: 4em;
      text-align: center;
    }
    #TOC li {
      list-style: none;
    }
    #TOC ul {
      padding-left: 1.3em;
    }
    #TOC > ul {
      padding-left: 0;
    }
    #TOC a:not(:hover) {
      text-decoration: none;
    }
    span.smallcaps{font-variant: small-caps;}
    div.columns{display: flex; gap: min(4vw, 1.5em);}
    div.column{flex: auto; overflow-x: auto;}
    div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
    /* The extra [class] is a hack that increases specificity enough to
       override a similar rule in reveal.js */
    ul.task-list[class]{list-style: none;}
    ul.task-list li input[type="checkbox"] {
      font-size: inherit;
      width: 0.8em;
      margin: 0 0.8em 0.2em -1.6em;
      vertical-align: middle;
    }
    .display.math{display: block; text-align: center; margin: 0.5rem auto;}
    /* CSS for syntax highlighting */
    html { -webkit-text-size-adjust: 100%; }
    pre > code.sourceCode { white-space: pre; position: relative; }
    pre > code.sourceCode > span { display: inline-block; line-height: 1.25; }
    pre > code.sourceCode > span:empty { height: 1.2em; }
    .sourceCode { overflow: visible; }
    code.sourceCode > span { color: inherit; text-decoration: inherit; }
    div.sourceCode { margin: 1em 0; }
    pre.sourceCode { margin: 0; }
    @media screen {
    div.sourceCode { overflow: auto; }
    }
    @media print {
    pre > code.sourceCode { white-space: pre-wrap; }
    pre > code.sourceCode > span { text-indent: -5em; padding-left: 5em; }
    }
    pre.numberSource code
      { counter-reset: source-line 0; }
    pre.numberSource code > span
      { position: relative; left: -4em; counter-increment: source-line; }
    pre.numberSource code > span > a:first-child::before
      { content: counter(source-line);
        position: relative; left: -1em; text-align: right; vertical-align: baseline;
        border: none; display: inline-block;
        -webkit-touch-callout: none; -webkit-user-select: none;
        -khtml-user-select: none; -moz-user-select: none;
        -ms-user-select: none; user-select: none;
        padding: 0 4px; width: 4em;
        color: #aaaaaa;
      }
    pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa;  padding-left: 4px; }
    div.sourceCode
      {   }
    @media screen {
    pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
    }
    code span.al { color: #ff0000; font-weight: bold; } /* Alert */
    code span.an { color: #60a0b0; font-weight: bold; font-style: italic; } /* Annotation */
    code span.at { color: #7d9029; } /* Attribute */
    code span.bn { color: #40a070; } /* BaseN */
    code span.bu { color: #008000; } /* BuiltIn */
    code span.cf { color: #007020; font-weight: bold; } /* ControlFlow */
    code span.ch { color: #4070a0; } /* Char */
    code span.cn { color: #880000; } /* Constant */
    code span.co { color: #60a0b0; font-style: italic; } /* Comment */
    code span.cv { color: #60a0b0; font-weight: bold; font-style: italic; } /* CommentVar */
    code span.do { color: #ba2121; font-style: italic; } /* Documentation */
    code span.dt { color: #902000; } /* DataType */
    code span.dv { color: #40a070; } /* DecVal */
    code span.er { color: #ff0000; font-weight: bold; } /* Error */
    code span.ex { } /* Extension */
    code span.fl { color: #40a070; } /* Float */
    code span.fu { color: #06287e; } /* Function */
    code span.im { color: #008000; font-weight: bold; } /* Import */
    code span.in { color: #60a0b0; font-weight: bold; font-style: italic; } /* Information */
    code span.kw { color: #007020; font-weight: bold; } /* Keyword */
    code span.op { color: #666666; } /* Operator */
    code span.ot { color: #007020; } /* Other */
    code span.pp { color: #bc7a00; } /* Preprocessor */
    code span.sc { color: #4070a0; } /* SpecialChar */
    code span.ss { color: #bb6688; } /* SpecialString */
    code span.st { color: #4070a0; } /* String */
    code span.va { color: #19177c; } /* Variable */
    code span.vs { color: #4070a0; } /* VerbatimString */
    code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warning */
  </style>
</head>
<body>
<header id="title-block-header">
<h1 class="title">CONSTITUTION</h1>
</header>
<h1 id="helixcode-constitution">HelixCode Constitution</h1>
<h2 id="helixcode-project-constitution">HelixCode Project
Constitution</h2>
<p><strong>Version</strong>: 1.0.0 <strong>Effective Date</strong>:
2026-04-30 <strong>Scope</strong>: This Constitution applies to
HelixCode and ALL its submodules <strong>Authority</strong>: Cascaded
from HelixAgent root governance with HelixCode-specific addenda</p>
<hr />
<h2
id="inherited-from-constitutionconstitution.md-helixconstitution-submodule">INHERITED
FROM constitution/Constitution.md (HelixConstitution submodule)</h2>
<p>All universal rules in <code>constitution/Constitution.md</code>
apply unconditionally to HelixCode. This project Constitution
<strong>extends</strong> those universal rules with HelixCode-specific
addenda below — it does NOT and MAY NOT weaken any universal clause.
When this Constitution disagrees with the constitution submodule, the
constitution submodule wins.</p>
<p>The constitution submodule is at <code>./constitution/</code> (added
2026-05-14 per user mandate, pinned at the upstream
<code>HelixDevelopment/HelixConstitution</code> HEAD). To locate it from
nested submodules at arbitrary depth, source
<code>constitution/find_constitution.sh</code> from the parent project
tree.</p>
<p><strong>Project remote-policy scope (revised 2026-06-03)</strong> —
Per operator decision 2026-06-03, HelixCode aligns with the universal
Constitution’s multi-upstream Git-push allowance: GitHub
(<code>vasic-digital/*</code>, <code>HelixDevelopment/*</code>), GitLab
(same), GitFlic, and GitVerse are ALL permitted as Git remotes, and
pushes target every configured upstream. This
<strong>SUPERSEDES</strong> the earlier <code>CLAUDE.md</code> §6.W
tightening that forbade GitFlic/GitVerse — that remote-provider
restriction is <strong>LIFTED</strong>. Project tightenings unrelated to
remote providers (host power management, anti-bluff, secret-leak, etc.)
remain in force.</p>
<hr />
<h2 id="preamble">Preamble</h2>
<p>HelixCode is an enterprise-grade distributed AI development platform.
This Constitution establishes the non-negotiable rules that govern all
development, testing, deployment, and maintenance activities within the
project. Every contributor, agent, and automated process MUST adhere to
these rules. No exceptions.</p>
<hr />
<h2 id="const-001-no-cicd-pipelines-permanent">CONST-001: No CI/CD
Pipelines (Permanent)</h2>
<p>No <code>.github/workflows/</code>, <code>.gitlab-ci.yml</code>,
<code>Jenkinsfile</code>, <code>.travis.yml</code>,
<code>.circleci/</code>, or any automated pipeline. No Git hooks. All
builds and tests run manually or via Makefile/script targets.</p>
<p><strong>Rationale</strong>: Manual execution ensures human oversight
and prevents automated propagation of bluffs.</p>
<hr />
<h2 id="const-002-no-mocks-in-production-permanent">CONST-002: No Mocks
in Production (Permanent)</h2>
<h3 id="const-002a-production-code">CONST-002a: Production Code</h3>
<p>Mocks, stubs, fakes, placeholder classes, TODO implementations are
STRICTLY FORBIDDEN in production code. All production code is fully
functional with real integrations.</p>
<h3 id="const-002b-test-code">CONST-002b: Test Code</h3>
<p>Mocks/stubs/fakes MAY be used ONLY in unit tests (files ending
<code>_test.go</code> run under <code>go test -short</code>).</p>
<p><strong>Rationale</strong>: Production bluffs have repeatedly been
discovered where features appeared implemented but were
non-functional.</p>
<hr />
<h2 id="const-003-no-https-for-git-permanent">CONST-003: No HTTPS for
Git (Permanent)</h2>
<p>SSH URLs only (<code>git@github.com:…</code>,
<code>git@gitlab.com:…</code>, etc.) for clones, fetches, pushes, and
submodule updates. SSH keys are configured on every service.</p>
<hr />
<h2 id="const-004-no-manual-container-commands-permanent">CONST-004: No
Manual Container Commands (Permanent)</h2>
<p>Container orchestration is owned by the project’s binary/orchestrator
(e.g., <code>make build</code> → <code>./bin/&lt;app&gt;</code>). Direct
<code>docker</code>/<code>podman start|stop|rm</code> and
<code>docker-compose up|down</code> are prohibited as workflows.</p>
<hr />
<h2 id="const-005-100-real-data-for-non-unit-tests">CONST-005: 100% Real
Data for Non-Unit Tests</h2>
<p>Beyond unit tests, all components MUST use actual API calls, real
databases, live services. No simulated success. Fallback chains tested
with actual failures.</p>
<p><strong>Verification</strong>: Every integration/E2E test MUST
connect to real services or skip (not fail) if unavailable.</p>
<hr />
<h2 id="const-006-challenge-coverage-permanent">CONST-006: Challenge
Coverage (Permanent)</h2>
<p>Every component MUST have Challenge scripts
(<code>./challenges/scripts/</code>) validating real-life use cases. No
false success — validate actual behavior, not return codes.</p>
<hr />
<h2 id="const-007-health-observability">CONST-007: Health &amp;
Observability</h2>
<p>Every service MUST expose health endpoints. Circuit breakers for all
external dependencies. Prometheus / OpenTelemetry integration where
applicable.</p>
<hr />
<h2 id="const-008-documentation-quality">CONST-008: Documentation &amp;
Quality</h2>
<p>Update <code>CLAUDE.md</code>, <code>AGENTS.md</code>, and relevant
docs alongside code changes. Pass language-appropriate
format/lint/security gates. Conventional Commits:
<code>&lt;type&gt;(&lt;scope&gt;): &lt;description&gt;</code>.</p>
<hr />
<h2 id="const-009-validation-before-release">CONST-009: Validation
Before Release</h2>
<p>Pass the project’s full validation suite
(<code>make ci-validate-all</code>-equivalent) plus all challenges
(<code>./challenges/scripts/run_all_challenges.sh</code>).</p>
<hr />
<h2 id="const-010-comprehensive-verification">CONST-010: Comprehensive
Verification</h2>
<p>Every fix MUST be verified from all angles: runtime testing (actual
HTTP requests / real CLI invocations), compile verification, code
structure checks, dependency existence checks, backward compatibility,
and no false positives. Grep-only validation is NEVER sufficient.</p>
<hr />
<h2 id="const-011-resource-limits-for-tests-challenges">CONST-011:
Resource Limits for Tests &amp; Challenges</h2>
<p>ALL test and challenge execution MUST be strictly limited to 30-40%
of host system resources. Use <code>GOMAXPROCS=2</code>,
<code>nice -n 19</code>, <code>ionice -c 3</code>, <code>-p 1</code> for
<code>go test</code>. Container limits required.</p>
<hr />
<h2 id="const-012-bugfix-documentation">CONST-012: Bugfix
Documentation</h2>
<p>All bug fixes MUST be documented in
<code>docs/issues/fixed/BUGFIXES.md</code> with root cause analysis,
affected files, fix description, and a link to the verification
test/challenge.</p>
<hr />
<h2 id="const-013-real-infrastructure-for-all-non-unit-tests">CONST-013:
Real Infrastructure for All Non-Unit Tests</h2>
<p>Mocks/fakes/stubs/placeholders MAY be used ONLY in unit tests. ALL
other test types — integration, E2E, functional, security, stress,
chaos, challenge, benchmark, runtime verification — MUST execute against
REAL running systems with REAL containers, REAL databases, REAL
services, and REAL HTTP calls.</p>
<hr />
<h2 id="const-014-reproduction-before-fix-mandatory">CONST-014:
Reproduction-Before-Fix (Mandatory)</h2>
<p>Every reported error, defect, or unexpected behavior MUST be
reproduced by a Challenge script BEFORE any fix is attempted. Sequence:
1. Write the Challenge first 2. Run it; confirm fail (it reproduces the
bug) 3. Then write the fix 4. Re-run; confirm pass 5. Commit Challenge +
fix together</p>
<p>The Challenge becomes the regression guard for that bug forever.</p>
<hr />
<h2 id="const-015-concurrent-safe-containers">CONST-015: Concurrent-Safe
Containers</h2>
<p>Any struct field that is a mutable collection (map, slice) accessed
concurrently MUST use thread-safe primitives. Bare
<code>sync.Mutex + map/slice</code> combinations are prohibited for new
code.</p>
<hr />
<h2 id="const-016-definition-of-done-universal">CONST-016: Definition of
Done (Universal)</h2>
<p>A change is NOT done because code compiles and tests pass. “Done”
requires pasted terminal output from a real run.</p>
<ul>
<li><strong>No self-certification</strong>: Words like <em>verified,
tested, working, complete, fixed, passing</em> are forbidden in
commits/PRs/replies unless accompanied by pasted output from a command
that ran in that session.</li>
<li><strong>Demo before code</strong>: Every task begins by writing the
runnable acceptance demo</li>
<li><strong>Real system, every time</strong>: Demos run against real
artifacts</li>
<li><strong>Skips are loud</strong>: <code>t.Skip</code> without a
trailing <code>SKIP-OK: #&lt;ticket&gt;</code> comment breaks
validation</li>
</ul>
<hr />
<h2
id="const-035-anti-bluff-tests-challenges-user-mandate-forensic-anchor">CONST-035
— Anti-Bluff Tests &amp; Challenges (User-Mandate Forensic Anchor)</h2>
<p><strong>§11.9 User-Mandate Forensic Anchor (2026-04-29)</strong></p>
<p>This Article exists because of an explicit, repeatedly-stated user
mandate. The verbatim text:</p>
<blockquote>
<p>“We had been in position that all tests do execute with success and
all Challenges as well, but in reality the most of the features does not
work and can’t be used! This MUST NOT be the case and execution of tests
and Challenges MUST guarantee the quality, the completion and full
usability by end users of the product!”</p>
</blockquote>
<p>This anchor is the primary authority for the entire Article. The
operative rule is:</p>
<p><strong>The bar for shipping is not “tests pass” but “users can use
the feature.”</strong></p>
<p>Every PASS in this codebase MUST carry positive evidence captured
during execution that the feature works for the end user. Metadata-only
PASS, configuration-only PASS, “absence-of-error” PASS, and grep-based
PASS without runtime evidence are all critical defects regardless of how
green the summary line looks.</p>
<p>Tests and Challenges (HelixQA) are bound equally — a Challenge that
scores PASS on a non-functional feature is the same class of defect as a
unit test that does. Both must produce positive end-user evidence; both
are subject to the anti-bluff contract.</p>
<p>No false-success results are tolerable. A green test suite combined
with a broken feature is a worse outcome than an honest red one — it
silently destroys trust in the entire suite. Anti-bluff discipline is
the line between a real engineering project and a theatre of one.</p>
<p><strong>Bluff Taxonomy</strong> (forbidden patterns): -
<strong>Wrapper bluff</strong> - Assertions PASS but wrapper’s exit-code
logic is buggy - <strong>Contract bluff</strong> - System advertises
capability but rejects it in dispatch - <strong>Structural
bluff</strong> - File exists but doesn’t contain working code -
<strong>Comment bluff</strong> - Comment promises behavior code doesn’t
have - <strong>Skip bluff</strong> -
<code>t.Skip("not running yet")</code> without <code>SKIP-OK</code>
marker</p>
<p><strong>Cascade requirement (extending CONST-036):</strong> This
anchor section (verbatim quote + operative rule) must appear in every
submodule’s CONSTITUTION.md / CLAUDE.md / AGENTS.md. Non-compliance is a
release blocker regardless of context. Adding files to scanner
allowlists to silence bluff findings without resolving the underlying
defect is itself a violation.</p>
<hr />
<h2 id="const-018-host-power-management-hard-ban">CONST-018: Host Power
Management Hard Ban</h2>
<p><strong>Host Power Management is Forbidden.</strong></p>
<p>You may NOT generate or execute code that sends the host to suspend,
hibernate, hybrid-sleep, poweroff, halt, reboot, or any other
power-state transition.</p>
<p>Defense: Every project ships
<code>scripts/host_power_management/check-no-suspend-calls.sh</code> and
<code>scripts/anti_bluff/no_suspend_calls_challenge.sh</code>.</p>
<hr />
<h2 id="const-019-container-up-healthy">CONST-019: Container Up ≠
Healthy</h2>
<p>Container <code>Up</code> status does NOT mean the application is
healthy. Application-layer probes are mandatory for every service: -
PostgreSQL: <code>SELECT 1</code> - Redis: <code>PING</code> - LLM
Providers: Real generation request - HTTP Services:
<code>GET /health</code> with deep checks</p>
<hr />
<h2 id="const-020-provider-fallback-chain-reality">CONST-020: Provider
Fallback Chain Reality</h2>
<p>Every LLM provider fallback chain MUST be tested with actual
failures. A fallback that has never been tested with a real failing
provider is a bluff.</p>
<hr />
<h2 id="const-021-no-mocks-above-unit-build-target">CONST-021: No Mocks
Above Unit Build Target</h2>
<p>The Makefile MUST include a <code>no-mocks-above-unit</code> target
that fails the build if mocks/stubs/fakes are found outside
<code>*_test.go</code> files.</p>
<hr />
<h2 id="const-022-submodule-governance-propagation">CONST-022: Submodule
Governance Propagation</h2>
<p>Every submodule MUST either: 1. Have its own Constitution.md,
CLAUDE.md, and AGENTS.md, OR 2. Have a symlink to the parent
repository’s governance files, OR 3. Have a reference comment in its
README pointing to parent governance</p>
<p>No submodule is exempt from these rules.</p>
<hr />
<h2 id="const-023-docker-health-checks-mandatory">CONST-023: Docker
Health Checks Mandatory</h2>
<p>Every Dockerfile MUST include:</p>
<div class="sourceCode" id="cb1"><pre
class="sourceCode dockerfile"><code class="sourceCode dockerfile"><span id="cb1-1"><a href="#cb1-1" aria-hidden="true" tabindex="-1"></a><span class="kw">HEALTHCHECK</span> <span class="op">--interval=30s</span> <span class="op">--timeout=10s</span> <span class="op">--start-period=5s</span> <span class="op">--retries=3</span> \</span>
<span id="cb1-2"><a href="#cb1-2" aria-hidden="true" tabindex="-1"></a>    <span class="kw">CMD</span> <span class="ex">curl</span> <span class="at">-f</span> http://localhost:8080/health <span class="kw">||</span> <span class="bu">exit</span> 1</span></code></pre></div>
<p>The health endpoint MUST perform deep checks (database connection,
provider availability), not just return HTTP 200.</p>
<hr />
<h2 id="const-024-version-pinning">CONST-024: Version Pinning</h2>
<p>All dependencies MUST be pinned to specific versions in
<code>go.mod</code>. No <code>latest</code>, no floating tags. Renovate
or Dependabot (manual review only — see CONST-001) may propose
updates.</p>
<hr />
<h2 id="const-025-secret-management">CONST-025: Secret Management</h2>
<p>NO secrets in code. EVER. Secrets via: - Environment variables
(production) - <code>.env</code> files (development, in
<code>.gitignore</code>) - Vault/Secret Manager (enterprise) - Docker
secrets (containerized)</p>
<p><code>go mod tidy</code> MUST NOT add secret-scanning bypasses.</p>
<hr />
<h2 id="const-026-minimal-privilege-containers">CONST-026: Minimal
Privilege Containers</h2>
<p>Containers run as non-root. Every Dockerfile:</p>
<div class="sourceCode" id="cb2"><pre
class="sourceCode dockerfile"><code class="sourceCode dockerfile"><span id="cb2-1"><a href="#cb2-1" aria-hidden="true" tabindex="-1"></a><span class="kw">RUN</span> <span class="ex">adduser</span> <span class="at">-D</span> <span class="at">-u</span> 1001 helixcode</span>
<span id="cb2-2"><a href="#cb2-2" aria-hidden="true" tabindex="-1"></a><span class="kw">USER</span> helixcode</span></code></pre></div>
<hr />
<h2 id="const-027-network-isolation">CONST-027: Network Isolation</h2>
<p>Container orchestration MUST use internal networks. Services
communicate via named hosts, not exposed ports where possible.</p>
<hr />
<h2 id="const-028-backup-before-destructive-operations">CONST-028:
Backup Before Destructive Operations</h2>
<p>Every file editing tool MUST create backups before modification. The
backup MUST be restorable.</p>
<hr />
<h2 id="const-029-input-validation-at-all-boundaries">CONST-029: Input
Validation at All Boundaries</h2>
<p>Every public function MUST validate inputs. No trust of
caller-provided data. SQL injection, path traversal, command injection
MUST be impossible by design.</p>
<hr />
<h2 id="const-030-graceful-degradation">CONST-030: Graceful
Degradation</h2>
<p>When external services are unavailable, the system MUST degrade
gracefully: - Return partial results where possible - Queue operations
for retry - Inform user of degraded state - NEVER crash or hang
indefinitely</p>
<hr />
<h2 id="const-031-audit-trail">CONST-031: Audit Trail</h2>
<p>Every significant operation MUST be logged with: - Timestamp - User
identity - Operation type - Success/failure status - Resource
affected</p>
<p>Log retention: 90 days minimum.</p>
<hr />
<h2 id="const-032-emergency-stop">CONST-032: Emergency Stop</h2>
<p>Every long-running or distributed operation MUST support cancellation
via <code>context.Context</code>. Users MUST be able to interrupt any
operation.</p>
<hr />
<h2 id="const-033-data-integrity">CONST-033: Data Integrity</h2>
<p>Database writes MUST be transactional. Partial writes MUST be rolled
back. Consistency checks MUST run periodically.</p>
<hr />
<h2 id="const-034-api-stability">CONST-034: API Stability</h2>
<p>Public APIs maintain backward compatibility within major versions.
Deprecation requires: - 6-month notice - Migration guide - Compatibility
shim</p>
<hr />
<h2
id="const-035-end-user-usability-mandate-2026-04-29-strengthening">CONST-035:
End-User Usability Mandate (2026-04-29 Strengthening)</h2>
<p>A test or Challenge that PASSES is a CLAIM that the tested behavior
<strong>works for the end user of the product</strong>.</p>
<p>The HelixAgent project has repeatedly hit the failure mode where
every test ran green AND every Challenge reported PASS, yet most product
features did not actually work. This MUST NOT recur in HelixCode.</p>
<p>Every PASS result MUST guarantee: a. <strong>Quality</strong> -
correct behavior under real inputs, edge cases, concurrency b.
<strong>Completion</strong> - wired end-to-end with no stub/placeholder
gaps c. <strong>Full usability</strong> - a user following documented
request shapes SUCCEEDS</p>
<p>A passing test that doesn’t certify all three is a
<strong>bluff</strong> and MUST be tightened.</p>
<p><strong>Bluff taxonomy</strong> (each pattern observed and now
forbidden): - <strong>Wrapper bluff</strong> - assertions PASS but
wrapper’s exit-code logic is buggy - <strong>Contract bluff</strong> -
system advertises capability but rejects it in dispatch -
<strong>Structural bluff</strong> - <code>check_file_exists</code>
passes but doesn’t run the test - <strong>Comment bluff</strong> -
comment promises behavior code doesn’t actually have - <strong>Skip
bluff</strong> - <code>t.Skip("not running yet")</code> without
<code>SKIP-OK: #&lt;ticket&gt;</code> marker</p>
<p><strong>Full background</strong>:
<code>docs/HOST_POWER_MANAGEMENT.md</code> and this Constitution
(CONST-035).</p>
<hr />
<h2 id="const-036-propagation-to-submodules">CONST-036: Propagation to
Submodules</h2>
<p>This Constitution, along with CLAUDE.md and AGENTS.md, MUST be
propagated to ALL submodules. Each submodule’s governance MUST reference
this parent Constitution. Changes to this Constitution MUST trigger
review of all submodule governance files.</p>
<hr />
<h2
id="const-037-llmsverifier-single-source-of-truth-mandate">CONST-037:
LLMsVerifier Single Source of Truth Mandate</h2>
<p><strong>Rule</strong>: LLMsVerifier SHALL BE the sole authoritative
source for: 1. All model metadata (names, IDs, context windows,
capabilities) 2. All provider metadata (endpoints, auth types, supported
models) 3. All verification status (verified, partial, failed, pending)
4. All scoring data (overall scores, capability scores, tier rankings)
5. All rate-limit and cooldown state</p>
<p><strong>Prohibition</strong>: NO hardcoded model lists, NO hardcoded
provider lists, NO simulated model discovery. Any code path that
presents a model or provider listing to a user MUST fetch that listing
from the LLMsVerifier subsystem or its cached replica.</p>
<p><strong>Anti-Bluff Verification</strong>: - The challenge script
<code>scripts/anti_bluff/verifier_hardcode_check.sh</code> MUST scan all
Go source files for hardcoded model arrays. - Any
<code>[]string{"gpt-4", "claude-3"}</code> or equivalent literal in
production code is a constitutional violation. - The only permitted
hardcoded data is the LLMsVerifier service endpoint URL and the list of
verification test types.</p>
<p><strong>Enforcement</strong>: <code>make test-complete</code> MUST
include a test that asserts
<code>ModelManager.GetAvailableModels()</code> returns at least as many
models as the verifier’s database contains for configured providers. A
test that passes while the CLI shows a hardcoded list is a TEST BLUFF
and violates CONST-035.</p>
<hr />
<h2 id="const-038-model-provider-anti-bluff-guarantee">CONST-038: Model
Provider Anti-Bluff Guarantee</h2>
<p><strong>Rule</strong>: Every model displayed to an end user MUST have
been verified by LLMsVerifier within the last
<code>verification_timeout</code> period (default: 24h). Models older
than this MUST display a “stale” indicator and be deprioritized.</p>
<p><strong>Prohibition Against Test Bluffing</strong>: - A unit test
that mocks the verifier client and asserts
<code>GetAvailableModels()</code> returns 3 models DOES NOT satisfy this
rule. - An integration test that starts the verifier server, performs
real provider discovery, and confirms the model count matches the actual
provider API response DOES satisfy this rule. - The Makefile target
<code>make test-verifier-integration</code> MUST exist and MUST run
without mocks.</p>
<p><strong>The “Tests Pass But Features Don’t Work”
Guarantee</strong>:</p>
<pre><code>NO TEST MAY PASS UNLESS THE FEATURE IT TESTS IS DEMONSTRABLY USABLE
BY AN END USER IN THE SAME BUILD.</code></pre>
<ul>
<li>If <code>TestModelList</code> passes but
<code>helixcode --list-models</code> shows hardcoded data, the test is a
BLUFF.</li>
<li>If <code>TestProviderHealth</code> passes but the health endpoint
returns <code>200 OK</code> for a provider that is actually down, the
test is a BLUFF.</li>
<li>If <code>TestLLMGeneration</code> passes but
<code>--prompt "hello"</code> returns a simulated string, the test is a
BLUFF.</li>
<li>Bluff tests MUST be rewritten or deleted. There is no “grandfather”
exception.</li>
</ul>
<p><strong>Evidence Standard</strong>: Every test that claims to verify
model/provider functionality MUST: 1. Call a real API endpoint or a real
verifier database 2. Assert on response content that could only come
from that real source 3. Include a test that runs the CLI binary with
<code>--list-models</code> and checks output against verifier data</p>
<hr />
<h2 id="const-039-real-time-model-status-accuracy">CONST-039: Real-Time
Model Status Accuracy</h2>
<p><strong>Rule</strong>: Model status (available, rate-limited,
cooldown, offline, deprecated) displayed to users MUST reflect the
actual state as known by LLMsVerifier within <code>max_staleness</code>
seconds (default: 60s).</p>
<p><strong>Polling vs. Push</strong>: - If WebSocket/SSE push is
unavailable, the system MUST poll LLMsVerifier at most every
<code>status_poll_interval</code> (default: 30s). - The TUI MUST display
a “last updated” timestamp with every model listing. - Models in
“cooldown” or “rate-limited” state MUST show the estimated recovery time
if known.</p>
<p><strong>Accuracy Verification</strong>: - Challenge script
<code>challenges/scripts/model_status_accuracy_challenge.sh</code> MUST:
1. Artificially rate-limit a provider by exhausting its quota 2. Wait
for the status to propagate to the verifier 3. Check that
<code>helixcode --list-models</code> shows the rate-limited status
within 60s 4. Check that <code>SelectOptimalModel()</code> no longer
selects the rate-limited model</p>
<p><strong>Prohibition</strong>: Status indicators that are “always
green” or that lag &gt;60s behind reality violate this rule.</p>
<hr />
<h2
id="const-040-all-providers-and-models-integration-mandate">CONST-040:
All Providers and Models Integration Mandate</h2>
<p><strong>Rule</strong>: HelixCode MUST integrate with ALL providers
and models that LLMsVerifier supports, subject only to: 1. The provider
being explicitly disabled in configuration (<code>enabled: false</code>)
2. The API key being absent and the provider requiring one 3. The
provider being marked <code>deprecated</code> in the verifier
database</p>
<p><strong>Minimum Provider Set</strong> (SHALL NOT be reduced without
constitutional amendment): | Provider | Auth Type | Required Env Var |
|———-|———–|—————–| | OpenAI | API Key | <code>OPENAI_API_KEY</code> | |
Anthropic | API Key / OAuth | <code>ANTHROPIC_API_KEY</code> | | Gemini
| API Key | <code>GEMINI_API_KEY</code> | | DeepSeek | API Key |
<code>DEEPSEEK_API_KEY</code> | | Groq | API Key |
<code>GROQ_API_KEY</code> | | Mistral | API Key |
<code>MISTRAL_API_KEY</code> | | xAI | API Key |
<code>XAI_API_KEY</code> | | OpenRouter | API Key |
<code>OPENROUTER_API_KEY</code> | | Ollama | Local | None (auto-detect)
| | Llama.cpp | Local | None (auto-detect) |</p>
<p><strong>Integration Requirement</strong>: For every provider in the
minimum set: - There MUST be a provider adapter file in
<code>internal/llm/</code> or <code>internal/verifier/adapters/</code> -
There MUST be a <code>*_test.go</code> file with real API tests (skipped
only if <code>HELIX_SKIP_LIVE_PROVIDER_TESTS</code> is set) - There MUST
be a challenge script in <code>challenges/scripts/</code> - The model
listing MUST include models from this provider when the provider is
enabled</p>
<hr />
<h2
id="const-041-mcp-lsp-acp-embedding-rag-skills-plugins-integration-mandate">CONST-041:
MCP / LSP / ACP / Embedding / RAG / Skills / Plugins Integration
Mandate</h2>
<p><strong>Rule</strong>: LLMsVerifier integration SHALL extend beyond
basic model listing to cover ALL capability dimensions:</p>
<ol type="1">
<li><p><strong>MCP (Model Context Protocol)</strong>: The verifier MUST
report which models support MCP tool calling. HelixCode’s MCP subsystem
MUST consult verifier capability flags before selecting a model for
tool-use tasks.</p></li>
<li><p><strong>LSP (Language Server Protocol)</strong>: The verifier
MUST report code-analysis capabilities. Models without
<code>code_analysis</code> capability MUST NOT be selected for
refactoring or debugging tasks.</p></li>
<li><p><strong>ACP (Agent Capability Protocol)</strong>: The verifier
MUST report multi-agent coordination support. Models with
<code>supports_parallel_tool_use</code> MUST be preferred for ACP
workflows.</p></li>
<li><p><strong>Embedding</strong>: The verifier MUST report
<code>supports_embeddings</code> for each model. The
<code>CogneeConfig</code> embedding model selection MUST be
verifier-aware.</p></li>
<li><p><strong>RAG (Retrieval-Augmented Generation)</strong>: The
verifier MUST report context-window sizes. RAG chunking strategies MUST
adapt to the selected model’s <code>context_window_tokens</code> as
reported by the verifier.</p></li>
<li><p><strong>Skills / Plugins</strong>: The verifier MUST track plugin
compatibility. Models flagged <code>plugin_compatible</code> MUST be
used when skill/plugin execution is required.</p></li>
</ol>
<p><strong>Capability Checklist</strong> (MUST be verified by
challenge): - [ ] MCP tool calling verified for at least 3 providers - [
] LSP code-analysis verified for at least 3 providers - [ ] ACP parallel
tool use verified for at least 2 providers - [ ] Embedding generation
verified for at least 2 providers - [ ] RAG context-window adaptation
verified - [ ] Skills/plugin execution verified for at least 2
providers</p>
<p><strong>Prohibition</strong>: Capability flags MUST NOT be hardcoded.
The <code>Provider.GetCapabilities()</code> method MUST return data
sourced from the verifier’s <code>VerificationResult</code> fields.</p>
<hr />
<h2
id="const-046-no-hardcoded-content-all-user-facing-text-must-be-dynamic">CONST-046:
No Hardcoded Content — All User-Facing Text Must Be Dynamic</h2>
<p><strong>Rule</strong>: NO user-facing text, prompt template, question
text, error message, label, helper text, or explanatory content may be
hardcoded as a static literal string in any source file, test file,
configuration template, script, or governance document. All such content
MUST be either: 1. Generated dynamically by an LLM at runtime based on
context (user’s language, prompt content, session state), OR 2. Loaded
from a resource file (<code>.yaml</code>, <code>.json</code>,
<code>.toml</code>) that supports i18n and can be overridden per locale,
OR 3. Composed programmatically from verifier-provided metadata or
configuration data</p>
<p><strong>Rationale</strong>: Hardcoded English-only text creates a
system that silently breaks for non-English users. A clarification
question hardcoded as “Which file has the bug?” could be asked
identically to a Japanese, Serbian, or Spanish user who specified their
request in that language — producing an incoherent, unusable experience.
Every piece of user-facing text MUST adapt to the user’s language and
context. A static string array is a constitutional violation.</p>
<p><strong>Prohibition</strong>: Static literal arrays/slices of
question text, fixed prompt templates with hardcoded English phrases,
hardcoded error messages in anything other than Go standard library
format (which uses English identifiers but is not user-facing), and
hardcoded label/display text in TUI, CLI, desktop, or mobile
interfaces.</p>
<p><strong>Examples of violations</strong>: -
<code>[]string{"Which file has the bug?", "What is the expected behavior?"}</code>
— hardcoded question bank -
<code>fmt.Sprintf("The build failed with: %s", err)</code> —
user-visible English template -
<code>tview.NewTextView().SetText("Press Enter to continue")</code> —
hardcoded UI label - <code>return "feature not implemented"</code> —
user-visible static string</p>
<p><strong>Examples of compliant patterns</strong>: - Questions
generated by <code>llm.Generate(ctx, prompt)</code> and parsed into
structured output - Labels loaded from <code>locales/en.yaml</code> with
fallback to verifier metadata - Error wrapping:
<code>fmt.Errorf("build: %w", err)</code> — identifier-based, not
user-facing prose - Dynamic formatting:
<code>s.formatMessage(ctx, key, args...)</code> — dispatches through
i18n/LLM layer</p>
<p><strong>Enforcement</strong>: <code>make lint</code> MUST include a
check that scans for hardcoded human-readable strings exceeding a length
threshold. The anti-bluff sweep command
(<code>grep -rn "simulated\|placeholder\|stub\|TODO"</code>) MUST also
flag obvious hardcoded-text patterns.</p>
<p><strong>Cascade requirement</strong>: This rule (verbatim or by
CONST-046 ID reference) MUST appear in every owned-by-us submodule’s
CONSTITUTION.md, CLAUDE.md, and AGENTS.md.</p>
<hr />
<h2
id="const-045-no-hardcoded-distribution-hosts-all-distribution-via-containers.env">CONST-045:
No Hardcoded Distribution Hosts — All Distribution Via
containers/.env</h2>
<p><strong>Rule</strong>: ALL container distribution targets SHALL be
configured exclusively through the
<code>CONTAINERS_REMOTE_HOST_N_*</code> environment variables in
<code>containers/.env</code> (N=1..100; iteration stops at first absent
<code>_NAME</code>). The containers module’s
<code>pkg/envconfig/parser.go</code> is the authoritative loader.</p>
<p><strong>Prohibition</strong>: NO distribution host (hostname, IP
address, SSH user, SSH key path, runtime, labels) may be hardcoded in
ANY HelixCode-owned source file, test file, challenge, configuration
template, script, documentation, governance document (CONSTITUTION.md,
CLAUDE.md, AGENTS.md), or any other committed artefact.</p>
<p><strong>The sole source of truth for host enrolment is
<code>containers/.env</code></strong> (gitignored, mode 0600).
<code>containers/.env.example</code> documents the format but contains
NO operative host entries. Adding, removing, or modifying a distribution
host MUST be done by editing <code>containers/.env</code> ONLY; no code
change is required or permitted.</p>
<p><strong>Audit command</strong>:
<code>grep -rn 'CONTAINERS_REMOTE_HOST_' containers/.env</code>. The
configured set at any point is whatever <code>.env</code> declares. At
rule introduction time (2026-05-07), the configured hosts are
<code>thinker.local</code>, but the rule applies to whatever set is in
<code>.env</code> at any future point.</p>
<p><strong>Testing</strong>: Non-unit tests and Challenges that require
remote distribution SHALL read <code>containers/.env</code> at runtime.
They SHALL skip (with
<code>SKIP-OK: #P{X} no remote hosts configured</code>) when
<code>CONTAINERS_REMOTE_ENABLED</code> is <code>false</code> or unset,
and SHALL use whatever hosts are configured when enabled. No test may
hardcode a host name.</p>
<p><strong>Cascade requirement:</strong> This rule (verbatim or by
CONST-045 ID reference) MUST appear in every owned-by-us submodule’s
CONSTITUTION.md, CLAUDE.md, and AGENTS.md.</p>
<hr />
<h2 id="article-xii-repository-safety">Article XII — Repository
Safety</h2>
<h3 id="const-042-no-secret-leak">§12.1 (CONST-042) —
No-Secret-Leak</h3>
<p>No API key, token, password, certificate, or other credential may be
committed to any repository owned by HelixDevelopment or vasic-digital,
transitively or otherwise. All secrets live in <code>.env</code> files
(mode 0600) listed in <code>.gitignore</code>. Any leak — to git, logs,
build artefacts, screenshots, or external services — is a release
blocker until rotated and post-mortemed.</p>
<p><strong>Operational requirements:</strong> - Every repo must have
<code>.env</code>, <code>.env.local</code>, <code>.env.*</code> (with
<code>!.env.example</code> exception), <code>*.pem</code>,
<code>*.key</code>, <code>*.crt</code>, <code>id_rsa*</code> in
<code>.gitignore</code>. - <code>scripts/scan-secrets.sh</code> (or
equivalent) must run before every push; failing it blocks the push. -
API keys for development are sourced from the canonical
<code>../helix_agent/.env</code> (mode 0600, never under git) and copied
— never symlinked, never committed — into per-repo <code>.env</code>
files.</p>
<p><strong>Cascade requirement:</strong> This article must appear
verbatim in every owned-by-us repository’s <code>CONSTITUTION.md</code>,
<code>CLAUDE.md</code>, and <code>AGENTS.md</code>. Owned-by-us repos
are listed in <code>scripts/owned-repos.txt</code> (or, until that file
exists, the meta-repo <code>propagate-governance.sh</code> script’s
submodule walk excluding third-party trees).</p>
<h3 id="const-043-no-force-push">§12.2 (CONST-043) — No-Force-Push</h3>
<p>No force push, force-with-lease push, history rewrite, branch
deletion of <code>main</code>/<code>master</code>, or
upstream-overwriting operation may be performed without explicit,
in-conversation user approval given for that specific operation.
Authorization for one push does not extend to subsequent pushes.
Bypassing hooks (<code>--no-verify</code>), signature verification
(<code>--no-gpg-sign</code>), or protected-branch rules also requires
explicit approval. This applies to every repository in the
HelixDevelopment / vasic-digital stack.</p>
<p><strong>Operational requirements:</strong> - Local pre-push hook at
<code>scripts/git_hooks/pre-push</code> (installed by
<code>scripts/install-git-hooks.sh</code>) must reject
<code>--force</code> / <code>--force-with-lease</code> unless
<code>HELIX_FORCE_PUSH_APPROVED=1</code> is set. - The hook is a
courtesy gate; this constitutional clause is the actual contract. -
Regular non-force pushes of new commits to existing branches on
already-configured remotes are PERMITTED without per-push approval,
scoped to a programme/conversation in which the user has authorised the
cadence.</p>
<p><strong>Cascade requirement:</strong> Same as §12.1 — verbatim, every
owned-by-us repo’s three governance files.</p>
<hr />
<h2 id="article-xiii-programme-continuity">Article XIII — Programme
Continuity</h2>
<h3 id="const-044-continuation-document-maintenance-mandate">§13.1
(CONST-044) — Continuation Document Maintenance Mandate</h3>
<p>The <code>docs/CONTINUATION.md</code> document MUST be maintained in
sync with the actual state of the CLI-Agent Fusion programme at all
times. It is the authoritative resumption record for any CLI agent or
LLM picking up the work from any session, at any time.</p>
<p><strong>Mandate:</strong> Every commit that advances programme state
— feature task completion, feature close-out, push to remotes,
known-issue discovery, deferred-item resolution, phase transition,
addition or removal of submodules / remotes — MUST update
<code>docs/CONTINUATION.md</code> to reflect the new state in the same
commit (or in an immediately-following commit if the state-changing
commit is small and topical).</p>
<p><strong>Definition of “out-of-sync”:</strong> -
<code>Last updated</code> SHA in CONTINUATION ≠
<code>git rev-parse HEAD</code> on <code>main</code>. -
<code>Active feature in flight</code> in CONTINUATION ≠ feature in
<code>docs/improvements/PROGRESS.md</code> “Current focus”. - Tasks
marked done in CONTINUATION ≠ ticked tasks in <code>PROGRESS.md</code>.
- Known-issue list missing a documented failure that exists in evidence
files (<code>docs/improvements/0[5-9]_phase_*_evidence.md</code>). -
Repository state table missing or stale-SHA for any submodule listed in
<code>.gitmodules</code>.</p>
<p><strong>Severity:</strong> Out-of-sync <code>CONTINUATION.md</code>
is a <strong>CRITICAL DEFECT</strong>. Same severity as a false-success
test result under CONST-035 / Article XI §11.9. A green build with an
out-of-sync continuation document is unshippable.</p>
<p><strong>Verification:</strong>
<code>scripts/verify_continuation_sync.sh</code> (TBD; planned for Phase
3) compares CONTINUATION fields against <code>PROGRESS.md</code>,
<code>git rev-parse HEAD</code>, evidence files, and
<code>.gitmodules</code>. Non-zero exit = sync violation → blocking
pre-push.</p>
<p><strong>Cascade requirement:</strong> This article must appear
verbatim — or be referenced by <code>CONST-044</code> ID with a pointer
back to this anchor — in every owned-by-us repository’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Submodules without their own
<code>docs/CONTINUATION.md</code> reference the meta-repo’s CONTINUATION
as the authoritative document; submodules that maintain their own
CONTINUATION must pin its SHA and update on every state-changing commit
identically.</p>
<hr />
<h2 id="const-047-recursive-submodule-application-mandate">CONST-047:
Recursive Submodule Application Mandate</h2>
<blockquote>
<p><strong>Verbatim user mandate (2026-05-14):</strong> <em>“Make sure
all work we do is applied ALWAYS to all Submodules we control under our
organizations (vasic-digital and HelixDevelopment) fully recursively
everywhere with full bluff-proofing and comprehensive documentation,
user manuals and guides and full tests and Challenges
coverage!”</em></p>
</blockquote>
<p><strong>Operative rule:</strong> Every engineering deliverable
produced for HelixCode MUST be applied — fully and recursively — to
every owned submodule under the <code>vasic-digital</code> and
<code>HelixDevelopment</code> GitHub organizations. “Owned” means any
submodule whose remote URL is
<code>git@github.com:vasic-digital/*.git</code> or
<code>git@github.com:HelixDevelopment/*.git</code> (including the
<code>HelixDevelopment-s-Code/*</code> brand variant). Each such
submodule MUST receive in lockstep:</p>
<ol type="1">
<li><p><strong>Anti-bluff posture (CONST-035 / Article XI
§11.9):</strong> every test and Challenge in the submodule must
guarantee real, end-user-usable functionality. Metadata-only /
absence-of-error / fake-PASS results are critical defects in submodules
just as in the meta-repo.</p></li>
<li><p><strong>Comprehensive documentation:</strong> README plus user
manuals plus guides that match the submodule’s actual current
capabilities. Documentation that advertises features the code doesn’t
deliver is the same class of defect as a fake-PASS test.</p></li>
<li><p><strong>Full tests AND Challenges coverage:</strong> unit tests
where applicable, Challenges that exercise real workflows with captured
runtime evidence (per CONST-035). 100% of user-reachable surfaces must
be covered.</p></li>
<li><p><strong>Recursive propagation:</strong> when an owned submodule
itself depends on sub-submodules under <code>vasic-digital</code> or
<code>HelixDevelopment</code>, the mandate cascades. A submodule that
owns child submodules under our organizations is responsible for
cascading the mandate to them.</p></li>
<li><p><strong>Synchronized commits:</strong> when a meta-repo commit
advances state that touches a submodule’s surface, the corresponding
submodule commit MUST land in the same engineering session and be pushed
to all configured remotes.</p></li>
</ol>
<p><strong>Owned submodule baseline</strong> (direct children of the
meta-repo as of 2026-05-14): <code>vasic-digital/Containers</code>,
<code>vasic-digital/Security</code>,
<code>vasic-digital/Challenges</code>,
<code>vasic-digital/LLMsVerifier</code>,
<code>vasic-digital/Models</code>,
<code>HelixDevelopment/HelixQA</code>,
<code>HelixDevelopment/DocProcessor</code>,
<code>HelixDevelopment/LLMOrchestrator</code>,
<code>HelixDevelopment/LLMProvider</code>,
<code>HelixDevelopment/VisionEngine</code>,
<code>HelixDevelopment/HelixAgent</code>,
<code>HelixDevelopment-s-Code/Website</code>. Plus any nested submodule
under these orgs (full recursion).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-047</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Non-compliance is a release blocker — same
severity as a CONST-035 bluff or a CONST-044 out-of-sync
CONTINUATION.</p>
<p><strong>Verification:</strong>
<code>scripts/verify-governance-cascade.sh</code> MUST be extended to
confirm CONST-047 anchor presence in every owned submodule (in addition
to its existing CONST-035 checks). A submodule missing the anchor is
treated identically to one missing the anti-bluff anchor: blocked from
merge.</p>
<hr />
<h2
id="const-048-full-automation-coverage-mandate-cascaded-from-constitution-submodule-11.4.25">CONST-048:
Full-Automation-Coverage Mandate (cascaded from constitution submodule
§11.4.25)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“Make sure that every
feature, every functionality, every flow, every use case, every edge
case, every service or application, on every platform we support is
covered with full automation tests which will confirm anti-bluff policy
and provide the proof of fully working capabilities, working
implementation as expected, no issues, no bugs, fully documented, tests
covered! Nothing less than this does not give us a chance to deliver
stable product! This is mandatory constraint which MUST BE respected
without ignoring, skipping, slacking or forgetting it!”</em></p>
</blockquote>
<p>No feature / functionality / flow / use case / edge case / service /
application on any supported platform of HelixCode may be considered
deliverable until covered by automation tests proving six invariants:
(1) anti-bluff posture (CONST-035) with captured runtime evidence; (2)
proof of working capability end-to-end on target topology (no mocks
beyond unit tests — see CONST-050); (3) implementation matches
documented promise; (4) no open issues/bugs surfaced — cross-checked
against §11.4.15 / §11.4.16 trackers; (5) full documentation in sync per
§11.4.12; (6) four-layer test floor per §1 (pre-build + post-build +
runtime + paired mutation).</p>
<p>Consuming projects MUST publish a coverage ledger (feature × platform
× invariant-1..6 × status) regenerated as part of the release-gate
sweep. Gaps tracked per §11.4.15 (<code>UNCONFIRMED:</code> /
<code>PENDING_FORENSICS:</code> / <code>OPERATOR-BLOCKED:</code> with
§11.4.21 audit) — rows that quietly omit a platform are CONST-048
violations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-048</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
release-gate layer. No escape hatch. See constitution submodule
<code>Constitution.md</code> §11.4.25 for the full mandate.</p>
<h2
id="const-049-constitution-submodule-update-workflow-mandate-cascaded-from-constitution-submodule-11.4.26">CONST-049:
Constitution-Submodule Update Workflow Mandate (cascaded from
constitution submodule §11.4.26)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“Every time we add something
into our root (constitution Submodule) Constitution, CLAUDE.MD and
AGENTS.MD we MUST FIRST fetch and pull all new changes / work from
constitution Submodule first! All changes we apply MUST BE commited and
pushed to all constitution Submodule upstreams! In case of conflict, IT
MUST BE carefully resolved! Nothing can be broken, made faulty,
corrupted or unusable! After merging full validation and verification
MUST BE done!”</em></p>
</blockquote>
<p>Before ANY modification to <code>constitution/Constitution.md</code>,
<code>constitution/CLAUDE.md</code>, or
<code>constitution/AGENTS.md</code>, the agent or operator MUST execute
the following 7-step pipeline in order:</p>
<ol type="1">
<li><strong>Fetch + pull first</strong> inside the constitution
submodule worktree — every configured remote fetched, then
<code>git pull --ff-only</code> (or <code>--rebase</code> if non-FF;
NEVER <code>--strategy=ours</code> /
<code>--allow-unrelated-histories</code> without explicit
authorization).</li>
<li><strong>Apply the change</strong> with §11.4.17 classification +
verbatim mandate quote.</li>
<li><strong>Validate before commit</strong> —
<code>meta_test_inheritance.sh</code> (or equivalent), no merge-conflict
markers, cross-file consistency.</li>
<li><strong>Commit + push to ALL upstreams</strong> — governance files
only (NEVER <code>git add -A</code>); push to every configured remote.
One-upstream commit = CONST-049 violation (also CONST-038/§6.W and
§2.1).</li>
<li><strong>Conflict resolution</strong> preserving union of governance
content. Force-push to bypass conflicts is FORBIDDEN (CONST-043 /
§9.2).</li>
<li><strong>Post-merge validation</strong> —
<code>git submodule update --remote --init</code> + re-run cascade
verifier (CONST-047) confirming the new clause reaches every owned
submodule.</li>
<li><strong>Bump consuming project pointer</strong> —
<code>.gitmodules</code>-tracked submodule pointer advanced to the new
constitution HEAD in the SAME commit as cascade work.</li>
</ol>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-049</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a force-push without
CONST-043 / §9.2 authorization. No escape hatch. See constitution
submodule <code>Constitution.md</code> §11.4.26 for the full
mandate.</p>
<h2
id="const-050-no-fakes-beyond-unit-tests-100-test-type-coverage-mandate-cascaded-from-constitution-submodule-11.4.27">CONST-050:
No-Fakes-Beyond-Unit-Tests + 100%-Test-Type-Coverage Mandate (cascaded
from constitution submodule §11.4.27)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“Mocks, stubs, placeholders,
TODOs or FIXMEs are allowed to exist ONLY in Unit tests! All other test
types MUST interract with real fully implemented System! No fakes, empty
implementations or bluffing is allowed of any kind! All codebase of the
project MUST BE 100% covered with every supported test type: unit tests,
integration tests, e2e tests, full automation tests, security tests,
ddos tests, scaling tests, chaos tests, stress tests, performance tests,
benchmarking tests, ui tests, ux tests, Challenges (fully incorporating
our Challenges Submodule — https://github.com/vasic-digital/Challenges).
EVERYTHING MUST BE tested using helix_qa (fully incorporating helix_qa
Submodule — https://github.com/HelixDevelopment/HelixQA). helix_qa MUST
BE used with all possible written tests suites (test banks) for every
applications, service, platform, etc and execution of the full helix_qa
QA autonomous sessions! All required dependency Submodules MUST BE added
into the project as well (fully recursive!!!).”</em></p>
</blockquote>
<p>Two cooperating invariants:</p>
<p><strong>(A) No-fakes-beyond-unit-tests.</strong> Mocks, stubs, fakes,
placeholders, <code>TODO</code>, <code>FIXME</code>, “for now”, “in
production this would”, or empty-implementation patterns are PERMITTED
only in unit-test sources (<code>*_test.go</code> files invoked without
the integration build tag; <code>helix_code/tests/unit/</code>; etc.).
Every other test type — integration, E2E, full automation, security,
DDoS, scaling, chaos, stress, performance, benchmarking, UI, UX,
Challenges, helix_qa — MUST exercise the real, fully implemented
HelixCode system against real infrastructure (real PostgreSQL, real
Redis, real LLM endpoints, real containers, real captured devices).
Production code (anything under <code>helix_code/cmd/</code>,
<code>helix_code/applications/</code>,
<code>helix_code/internal/&lt;pkg&gt;/&lt;file&gt;.go</code> not ending
<code>_test.go</code>) MUST NOT import from
<code>helix_code/internal/mocks/</code>.</p>
<p><strong>(B) 100% test-type coverage.</strong> HelixCode’s codebase
MUST be covered by every supported test type the domain warrants: -
<strong>Unit</strong> — fast, isolated, mocks permitted per (A). -
<strong>Integration</strong> — multi-component, no mocks, real backing
services. - <strong>End-to-end (E2E)</strong> — full user-flow exercise
on target topology. - <strong>Full automation</strong> — orchestrated
suites exercising every feature × platform combination (CONST-048
coverage ledger). - <strong>Security</strong> — authn/authz boundaries,
CONST-042 secret-leak scans, input-fuzzing, dependency-CVE scanning,
threat-model verification. - <strong>DDoS</strong> — request-flood
resilience at advertised throughput tier. - <strong>Scaling</strong> —
horizontal + vertical scale behaviour under linear load growth. -
<strong>Chaos</strong> — controlled failure injection (network
partition, process kill, disk full, clock skew). -
<strong>Stress</strong> — sustained load above advertised tier. -
<strong>Performance</strong> — latency / throughput / tail-latency
invariants vs SLO baselines. - <strong>Benchmarking</strong> — micro +
macro suites with historical p95-drift detection. - <strong>UI</strong>
— visual-regression + DOM-state + interaction-flow coverage on every
target platform’s UI surface. - <strong>UX</strong> — flow-correctness +
accessibility + i18n + visual-cue ordering (§11.4.23 composition). -
<strong>Challenges</strong> — <code>vasic-digital/Challenges</code>
submodule (at <code>./challenges/</code>) fully incorporated;
per-feature Challenge scripts with captured runtime evidence. -
<strong>HelixQA</strong> — <code>HelixDevelopment/HelixQA</code>
submodule (at <code>./helix_qa/</code>) fully incorporated; ALL written
test banks executed; full autonomous QA sessions run as part of release
gates with captured wire evidence per check.</p>
<p><strong>Required dependency submodules</strong> (recursive per
CONST-047): - Challenges —
<code>git@github.com:vasic-digital/Challenges.git</code> — incorporated
at <code>./challenges/</code>. - helix_qa —
<code>git@github.com:HelixDevelopment/HelixQA.git</code> — incorporated
at <code>./helix_qa/</code>. - Any additional functionality submodules
under <code>vasic-digital/*</code> / <code>HelixDevelopment/*</code>
orgs that HelixCode depends on — incorporate rather than duplicate work
the orgs already maintain.</p>
<p>Submodule pointers MUST be bumped to upstream HEAD in the SAME commit
as any dependent cascade work (CONST-049 step 7). Pointer drift =
CONST-050 violation.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-050</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
release-gate layer. No escape hatch. See constitution submodule
<code>Constitution.md</code> §11.4.27 for the full mandate.</p>
<h2
id="const-051-submodules-as-equal-codebase-decoupling-dependency-layout-mandate-cascaded-from-constitution-submodule-11.4.28">CONST-051:
Submodules-As-Equal-Codebase + Decoupling + Dependency-Layout Mandate
(cascaded from constitution submodule §11.4.28)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“All existing Submodules in
the project that we are controlling and belong to some our organizations
(vasic-digital, HelixDevelopment, red-elf, ATMOSphere1234321,
Bear-Suite, BoatOS123456, Helix-Flow, Helix-Track, Server-Factory - we
can ALWAYS check dynamically using GitHub and GitLab CLIs) are equal
parts of the project’s codebase! We MUST work on that code as much as we
do with main project’s codebase! All on equal basis! Equally important!
We MUST take it into the account, analyze it, extend it, create missing
tests, do full testing of it, fill the gaps (if any), fix any issues
that we discover or they pop-up, write and extend the documentation,
user guides, manulas, diagrams, graphs, SQL definitions, Website(s) and
all other relevant materials! We MUST NEVER modify Submodules to bring
into them any project specific context since they all MUST BE ALWAYS
fully decoupled, project not-aware, fully reusable and modular (by any
other project(s)), completely testable! All Submodule dependencies that
are used by Submodule MUST BE acessed from the root of the project! We
MUST NOT have nested Submodule dependencies but accessing each from
proper location from the root of the project - directly from project’s
root project_name/submodule_name or some more proper structure
project_name/submodules/submodule_name!”</em></p>
</blockquote>
<p>Three cooperating invariants apply to every HelixCode-owned submodule
(those whose upstream <code>origin</code> lives under
<code>vasic-digital</code>, <code>HelixDevelopment</code>,
<code>red-elf</code>, <code>ATMOSphere1234321</code>,
<code>Bear-Suite</code>, <code>BoatOS123456</code>,
<code>Helix-Flow</code>, <code>Helix-Track</code>,
<code>Server-Factory</code>, or any subsequently authorised org):</p>
<p><strong>(A) Equal-codebase.</strong> Every owned-by-us submodule is
an <strong>equal part</strong> of HelixCode’s codebase. The same
engineering practice — analysis, extension, test creation, gap-filling,
bug-fix, documentation (user manuals, guides, diagrams, graphs, SQL
definitions, website pages, all materials) — applies to each owned
submodule on equal basis. A round of work that improves only HelixCode’s
main while leaving an owned-submodule deficiency unaddressed is a
CONST-051 violation, severity-equivalent to a §11.4 PASS-bluff at the
project-scope layer. The §11.4.25 / CONST-048 coverage ledger MUST list
every owned submodule as an in-scope target.</p>
<p><strong>(B) Decoupling / reusability.</strong> Owned submodules MUST
remain fully decoupled from HelixCode (and any other consuming project).
No HelixCode-specific context, hardcoded paths, hostnames, asset names,
or runtime assumptions may be introduced into an owned submodule’s
source tree. When a submodule needs information from HelixCode, the
honest path is configuration injection (env var, config file,
constructor parameter) — never a hardcoded reach into the parent’s tree.
Every owned submodule MUST be project-not-aware, fully reusable,
modular, and completely testable as a standalone repository.</p>
<p><strong>(C) Dependency-layout.</strong> Every dependency that an
owned submodule consumes MUST be accessible from HelixCode’s root at one
of two canonical paths: -
<code>&lt;repo_root&gt;/&lt;submodule_name&gt;/</code> (flat layout —
current HelixCode layout for Challenges, HelixQA, Containers, Security,
etc.) -
<code>&lt;repo_root&gt;/submodules/&lt;submodule_name&gt;/</code>
(grouped layout — alternate)</p>
<p><strong>Nested own-org submodule chains are FORBIDDEN.</strong> A
submodule MUST NOT have its own <code>.gitmodules</code> entries pulling
in further owned-by-us repos. Every dependency required by submodule X
is added to HelixCode’s root at the canonical path; X reaches it via
documented import / SDK path / runtime resolver — never via its own
nested submodule pointer. Third-party submodules (not under our orgs)
are exempt — they MAY appear at any depth.</p>
<p>The owned-org list is dynamically discoverable at any time via
<code>gh org list</code> / <code>glab</code> CLIs or the orgs’ public
APIs.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-051</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
codebase-completeness layer. No escape hatch. See constitution submodule
<code>Constitution.md</code> §11.4.28 for the full mandate (audit gates,
mutation pairs, workflow integration).</p>
<hr />
<h2 id="amendment-process">Amendment Process</h2>
<p>Constitution amendments require: 1. Written proposal with rationale
2. Challenge demonstrating the need 3. 72-hour review period 4. Approval
by project architect 5. Update to all submodule governance files</p>
<hr />
<p><em>This Constitution is the supreme law of the HelixCode project. No
code, test, or process may contradict it.</em></p>
<h2
id="const-052-lowercase-snake_case-naming-mandate-cascaded-from-constitution-submodule-11.4.29">CONST-052:
Lowercase-Snake_Case-Naming Mandate (cascaded from constitution
submodule §11.4.29)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): *“naming convention for
Submodules and directories (applied deep into hierarchy recursively) -
all directories and Submodules MSUT HAVE lowercase names with space
separator between the words of ’_’ character (snake-case)! All existing
Submodules and directories which are not following this rule MUST BE
renamed! However, since this will most likely break some of the
functionalities renaming we do MUST BE applied to all references to
particular Submodule or directory! … There MUST BE reasonable exceptions
for this rules - source code for programming languages or Submodules
which apply different naming convention - Android, Java, Kotlin and
others. … Upstreams directory which all of our projects and Submodules
have MUST BE renamed to the lowercase letters too, however root project
containing the install_upstreams system command (it is exported in out
paths in our .bashrc or .zshrc) MUST BE updated to fully work with both
Upstreams and upstreams directory. … NOTE: Rules lowercase / snake-case
do apply to all project files as well and references to it and from
them!“*</p>
</blockquote>
<p>Every directory, submodule, and file in HelixCode MUST use lowercase
snake_case names. Existing non-compliant names
(<code>helix_code/</code>, <code>challenges/</code>,
<code>containers/</code>, <code>helix_agent/</code>,
<code>helix_qa/</code>, <code>security/</code>,
<code>github_pages_website/</code>, <code>upstreams/</code>,
<code>dependencies/</code>, etc.) MUST be renamed as part of the phased
migration opened by this clause. Every reference (configs, docs, links,
source-code imports, governance files) MUST be updated atomically with
the rename — reference drift after a rename is a CONST-052 violation of
equal severity to the rename itself.</p>
<p><strong>Common-sense exceptions (technology-preserving):</strong>
language-mandated case for Java/Kotlin/Android/Apple/C#/Swift INSIDE the
language root (submodule root follows our convention; subtree follows
language convention); vendor/upstream third-party submodules keep
upstream names; build artefacts (<code>node_modules</code>,
<code>__pycache__</code>, <code>.git</code>, <code>target</code>,
<code>build</code>, <code>bin</code>) keep tool-mandated names. The test
“does renaming break the technology?” trumps the rule.</p>
<p><strong><code>upstreams/</code> → <code>upstreams/</code>
transition:</strong> the constitution submodule’s
<code>install_upstreams.sh</code> (exported via
<code>.bashrc</code>/<code>.zshrc</code>) supports BOTH
<code>upstreams/</code> and <code>upstreams/</code> directory layouts
(commit <code>45d3678</code> of the constitution submodule); lowercase
wins when both present.</p>
<p><strong>Test coverage of renames</strong> (per CONST-050(B)): every
rename batch ships with (i) regression test verifying every reference
now resolves, (ii) full test-type matrix run post-rename, (iii)
anti-bluff wire-evidence captured.</p>
<p><strong>Phased execution</strong> per the operator’s explicit
instruction: comprehensive brainstorming → phase-divided plan →
fine-grained tasks/subtasks → every change covered by every applicable
test type. §11.4.20 subagent delegation for cross-cutting rename
sweeps.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-052</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
reference-integrity layer. No escape hatch beyond the common-sense
exceptions enumerated above. See constitution submodule
<code>Constitution.md</code> §11.4.29 for the full mandate.</p>
<h2
id="const-053-.gitignore-no-versioned-build-artifacts-mandate-cascaded-from-constitution-submodule-11.4.30">CONST-053:
.gitignore + No-Versioned-Build-Artifacts Mandate (cascaded from
constitution submodule §11.4.30)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“every project module, every
Submodule, every servcie and apolication MUST HAVE proper .gitignore
file! We MUST NOT git version build artifacts, cache files, tmp files,
main .env file(s) or any files containing sensitive data, API keys or
token! Any build derivate which we can recreate by executing proper
mechanism for generating MUST NOT be versioned! We MUST pay attention
what is going to be commited every time we are preparing to execute
commit! If any violetion is detected it MUST be fixed before commit is
executed!”</em></p>
</blockquote>
<p>Every project module, owned-by-us submodule, service, and application
MUST ship a proper <code>.gitignore</code>.
Forbidden-from-version-control classes:</p>
<ol type="1">
<li><strong>Build artefacts</strong>: <code>/bin/</code>,
<code>/build/</code>, <code>/dist/</code>, <code>/out/</code>,
<code>target/</code>, <code>*.exe</code>, <code>*.dll</code>,
<code>*.so</code>, <code>*.dylib</code>, <code>*.a</code>,
<code>*.o</code>, <code>*.class</code>, <code>*.pyc</code>,
generator-produced files when the generator is committed.</li>
<li><strong>Cache files</strong>: <code>__pycache__/</code>,
<code>.pytest_cache/</code>, <code>.mypy_cache/</code>,
<code>.ruff_cache/</code>, <code>node_modules/</code>,
<code>.next/</code>, <code>.cache/</code>, <code>.gradle/</code>,
<code>.terraform/</code>, language-server caches.</li>
<li><strong>Temp files</strong>: <code>*.tmp</code>, <code>*.swp</code>,
<code>*~</code>, <code>.DS_Store</code>, <code>Thumbs.db</code>,
<code>*.orig</code>, <code>*.rej</code>.</li>
<li><strong>Sensitive-data files</strong>: <code>.env</code>,
<code>.env.*</code> (allow <code>.env.example</code> placeholder only —
no real secrets even as examples), <code>*.pem</code>,
<code>*.key</code>, <code>*.crt</code>, <code>id_rsa*</code>,
<code>id_ed25519*</code>, <code>.netrc</code>, <code>secrets/</code>,
<code>api_keys.sh</code>.</li>
<li><strong>Generated reports/logs</strong>: <code>*.log</code>,
<code>coverage.out</code>, <code>htmlcov/</code>, runtime captures
unless reference assets.</li>
<li><strong>OS/IDE personal state</strong>: <code>.idea/</code>,
<code>.history/</code>, <code>.vscode/</code> (except shared
settings).</li>
</ol>
<p><strong>Anti-bluff invariant</strong>: <code>.gitignore</code> line
alone is not sufficient — no file matching the forbidden patterns may be
CURRENTLY TRACKED. A tracked <code>*.log</code> despite the ignore-line
is a violation of equal severity to no ignore-line at all.</p>
<p><strong>Pre-commit attention</strong>: every commit author (human OR
agent) MUST inspect <code>git diff --staged</code> +
<code>git status</code> BEFORE executing the commit. Forbidden-class
hits abort the commit until fixed (un-stage, add to
<code>.gitignore</code>, scrub if already-tracked). Gate
<code>CM-GITIGNORE-PRECOMMIT-AUDIT</code> + paired mutation.</p>
<p><strong>Secret-leak intersection (CONST-042 / §11.4.10):</strong> a
<code>.env</code> leak is BOTH a CONST-053 and a CONST-042 violation;
rotation + post-mortem required.</p>
<p><strong>Recreatable-content test</strong>: if a documented mechanism
regenerates the file from sources, it is a build derivative and MUST be
ignored. The committed sources MUST include the generator.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-053</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
repository-hygiene layer. See constitution submodule
<code>Constitution.md</code> §11.4.30 for the full mandate.</p>
<h2
id="const-054-submodule-dependency-manifest-mandate-cascaded-from-constitution-submodule-11.4.31">CONST-054:
Submodule-Dependency-Manifest Mandate (cascaded from constitution
submodule §11.4.31)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“We MUST HAVE mechanism for
each Submodule to determine / know what are its Submodule dependencies
so new projects or palces we are incorporate them can add these
Submodules to the project root and make them available! Suggested idea
is configuration file with expected Submodules Git ssh urls perhaps? New
project can read it, and recursively add each Submodule to the root of
the project and install / expose it to veryone.”</em></p>
</blockquote>
<p>Every owned-by-us submodule MUST ship <code>helix-deps.yaml</code> at
its root declaring its own-org dependencies. Schema:
<code>schema_version</code>,
<code>deps: [{name, ssh_url, ref, why, layout: flat|grouped}]</code>,
<code>transitive_handling.{recursive,conflict_resolution}</code>,
<code>language_specific_subtree</code>. Tooling:
<code>incorporate-submodule &lt;ssh-url&gt;</code> adds the submodule at
the parent project’s canonical path (CONST-051(C)), reads
<code>helix-deps.yaml</code>, recurses for each declared dep, aborts on
conflicting refs, emits <code>&lt;root&gt;/.helix-manifest.yaml</code>
audit record.</p>
<p>Anti-bluff guarantee: every manifest paired with a Challenge that
bootstraps a throwaway consuming project, runs
<code>incorporate-submodule</code>, asserts produced layout matches the
manifest, runs the submodule’s own tests against the bootstrapped
layout, captures wire evidence per §11.4.2. A manifest without this
proof is a CONST-054 violation.</p>
<p>§11.4.31 / CONST-054 is the <strong>operational complement</strong>
of CONST-051(C): nested own-org submodule chains are FORBIDDEN —
manifests are the bridge that lets consumers reconstruct the dependency
graph at the parent root.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-054</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
dependency-graph layer. See constitution submodule
<code>Constitution.md</code> §11.4.31 for the full mandate.</p>
<h2
id="const-055-post-constitution-pull-validation-mandate-cascaded-from-constitution-submodule-11.4.32">CONST-055:
Post-Constitution-Pull Validation Mandate (cascaded from constitution
submodule §11.4.32)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“Every time we fetch and pull
new changes on constitution Submodule we MUST process the whole project
and all Submodule (deep recursively) for validation and verification
taht every single rule or mandatory constraint is followed and
respected! If it is not, IT MUST BE!”</em></p>
</blockquote>
<p>Whenever a project’s constitution submodule is fetched + pulled with
any content change, the project MUST run
<code>scripts/verify-all-constitution-rules.sh</code> BEFORE the new
constitution HEAD is treated as canonical for any other work. The sweep
re-runs the governance-cascade verifier AND every implementable rule
gate (CONST-053 <code>.gitignore</code> audit, CONST-051(C)
nested-own-org-chain audit, CONST-052 case audit, CONST-050(A)
mock-from-production audit, CONST-035 anti-bluff smoke, etc.) against
the post-pull tree. Failures populate the project’s Issues tracker per
§11.4.15 (Status: <code>Reopened</code>, Type: <code>Bug</code>);
closure requires positive-evidence per §11.4.</p>
<p>Pull-time invocation:
<code>git submodule update --remote constitution</code> triggers the
sweep automatically (post-update hook OR commit-wrapper invocation).
Operator-explicit manual invocation also available.</p>
<p>Anti-bluff: the sweep’s own meta-test (paired mutation per §1.1)
plants a known violation of each enforced gate and asserts the sweep
reports FAIL for the planted gate. A sweep that exits PASS without
running every implementable gate is a CONST-055 violation.</p>
<p>CONST-055 is the <strong>enforcement engine</strong> for every other
§11.4.x and CONST-NNN rule — without it, new rules cascade as anchors
but never get enforced.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-055</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
constitutional-enforcement layer. See constitution submodule
<code>Constitution.md</code> §11.4.32 for the full mandate.</p>
<h2
id="const-056-mandatory-install_upstreams-on-cloneadd-mandate-cascaded-from-constitution-submodule-11.4.36">CONST-056:
Mandatory install_upstreams on clone/add Mandate (cascaded from
constitution submodule §11.4.36)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“Every Submodule or Git
repository we add or clone MUST BE upstreams installed using
Upstreamable utility which MUST BE available through exported paths of
the host system (in .bashrc or .zhrc) using install_upstreams command
executed from the root of the cloned (added) repository - only if in it
is Upstreams or upstreams directory present with bash script files
(recipes) for all repository’s upstreams!”</em></p>
</blockquote>
<p>Every clone / add of a Git repository under HelixCode MUST be
followed by <code>install_upstreams</code> invocation from the
repository’s root IF its tree contains <code>upstreams/</code> (or
legacy <code>upstreams/</code> per CONST-052 transition) populated with
<code>*.sh</code> recipe files. The utility (installed on operator’s
<code>PATH</code> via <code>.bashrc</code>/<code>.zshrc</code>;
implementation in the constitution submodule’s
<code>install_upstreams.sh</code> — already supports BOTH directory
names since constitution commit <code>45d3678</code>) reads the recipe
files, configures every declared upstream as a named git remote, and
fans out <code>origin</code> push URLs.</p>
<p>Skipping the invocation when <code>upstreams/</code> is present
silently breaks §2.1 (multi-upstream push is the norm) — the next push
lands on only one upstream. Gate
<code>CM-INSTALL-UPSTREAMS-ON-CLONE</code> + paired mutation.
Automation: the future <code>incorporate-submodule</code> per CONST-054
auto-invokes; manual invocation supported. Pre-commit check:
<code>git remote -v | grep -c push</code> reports expected count.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-056</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.36 for the full mandate.</p>
<h2
id="const-057-type-aware-closure-status-vocabulary-cascaded-from-constitution-submodule-11.4.33">CONST-057:
Type-aware Closure-Status Vocabulary (cascaded from constitution
submodule §11.4.33)</h2>
<p>Every project tracking work items by Type per §11.4.16 MUST close
them with the Type-appropriate terminal <code>**Status:**</code> value,
drawn from this 3-element closed map:</p>
<table>
<thead>
<tr>
<th>Item <code>**Type:**</code></th>
<th>Closure <code>**Status:**</code> value</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>Bug</code></td>
<td><code>Fixed (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Feature</code></td>
<td><code>Implemented (→ Fixed.md)</code></td>
</tr>
<tr>
<td><code>Task</code></td>
<td><code>Completed (→ Fixed.md)</code></td>
</tr>
</tbody>
</table>
<p>The <code>(→ Fixed.md)</code> suffix is preserved across all three so
the existing migration-discipline tooling (atomic Issues.md → Fixed.md
move per §11.4.19) keeps working without per-Type branching. Generators
(<code>generate_issues_summary.sh</code>,
<code>generate_fixed_summary.sh</code>, the §11.4.23 colorizer) MUST
treat the three terminal values as semantically equivalent (all “closed,
positive evidence captured”) while preserving the literal in the emitted
document.</p>
<p>Closing a <code>Feature</code> with <code>Fixed (→ Fixed.md)</code>
or a <code>Task</code> with <code>Implemented (→ Fixed.md)</code> is a
CONST-057 violation. Gate <code>CM-CLOSURE-VOCAB-TYPE-AWARE</code> walks
every Fixed.md heading + every Issues.md heading whose
<code>**Status:**</code> is one of the three terminal values and asserts
the Status-Type match. Composes with §11.4.15 / §11.4.16 / §11.4.19 /
§11.4.23.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-057</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.33 for the full mandate.</p>
<h2
id="const-058-reopened-source-attribution-mandate-cascaded-from-constitution-submodule-11.4.34">CONST-058:
Reopened-Source Attribution Mandate (cascaded from constitution
submodule §11.4.34)</h2>
<p>Every Issues.md (or equivalent project tracker) heading whose
<code>**Status:**</code> is <code>Reopened</code> MUST carry, within 8
non-blank lines of the heading, a <code>**Reopened-Details:**</code>
line capturing four sub-facts:</p>
<ul>
<li><strong>By:</strong> <code>AI</code> or <code>User</code>
(source-of-truth observer who flipped the status). <code>AI</code>
covers in-loop reopens (test failure, gate regression, captured-evidence
retrospect). <code>User</code> covers operator-side observations (manual
testing, end-user report, design reconsideration).</li>
<li><strong>On:</strong> ISO date (<code>YYYY-MM-DD</code>).</li>
<li><strong>Reason:</strong> one-line cause classification — chosen from
the closed vocabulary
<code>{ test-failed | manual-testing-detected | captured-evidence-contradicts | end-user-report | cycle-re-discovered | design-reconsidered }</code>.
Other values permitted with explicit
<code>Reason: &lt;free text&gt;</code> annotation but the closed list
MUST be tried first.</li>
<li><strong>Evidence:</strong> path to or short description of the
captured artefact justifying the reopen — log file, recording, gate
failure ID, operator quote, etc. Reopens without evidence are §11.4.6 /
§11.4.7 violations (demotion from Fixed requires captured evidence under
the conditions that re-exposed the defect).</li>
</ul>
<p>The Issues_Summary.md Status column MUST distinguish the four
<code>Reopened</code> sub-states by source so a sweep query for “reopens
by AI in the last 30 days” is mechanically possible. Suggested column
rendering: <code>Reopened (AI: test-failed)</code> vs
<code>Reopened (User: manual-testing)</code>. Gate
<code>CM-ITEM-REOPENED-DETAILS</code> mirrors
<code>CM-ITEM-OPERATOR-BLOCKED-DETAILS</code> (§11.4.21 walk pattern).
Composes with §11.4.6 / §11.4.7 / §11.4.15 / §11.4.21.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-058</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.34 for the full mandate.</p>
<h2
id="const-059-canonical-root-inheritance-clarity-cascaded-from-constitution-submodule-11.4.35">CONST-059:
Canonical-Root Inheritance Clarity (cascaded from constitution submodule
§11.4.35)</h2>
<p>The <strong>constitution submodule’s</strong> three files
(<code>constitution/Constitution.md</code>,
<code>constitution/CLAUDE.md</code>,
<code>constitution/AGENTS.md</code>) ARE the <strong>canonical
root</strong> (also called the <strong>parent</strong> files). They
contain only universal rules per §11.4.17.</p>
<p>The consuming project’s <strong>repository-root files</strong>
(<code>&lt;project-root&gt;/CLAUDE.md</code>,
<code>&lt;project-root&gt;/AGENTS.md</code>, optionally
<code>&lt;project-root&gt;/Constitution.md</code>) are <strong>consumer
extensions</strong>. They MUST start with the inheritance pointer
(either the Claude-Code native <code>@constitution/CLAUDE.md</code>
import or the portable
<code>## INHERITED FROM constitution/CLAUDE.md</code> heading). They
contain only project-specific rules per §11.4.17.</p>
<p><strong>When in doubt about which file to edit:</strong> universal
rule → constitution submodule’s file; project-specific rule → consumer’s
file. Default consumer-side when uncertain (§11.4.17 — narrower scope is
cheap to widen).</p>
<p><strong>Terminology:</strong> “the parent CLAUDE.md” / “the root
Constitution” → constitution-submodule file at
<code>constitution/&lt;filename&gt;</code>; “the project CLAUDE.md” /
“this project’s AGENTS.md” → consumer-side file at
<code>&lt;project-root&gt;/&lt;filename&gt;</code>.</p>
<p><strong>No silent demotion or silent promotion.</strong> Moving a
rule between layers MUST be a visible commit — <code>git mv</code> of a
section if it’s a clean clone, or explicit
<code>Lifted from &lt;project&gt; to constitution per §11.4.35</code> /
<code>Demoted from constitution to &lt;project&gt; per §11.4.35</code>
commit-message annotation.</p>
<p>Gate <code>CM-CANONICAL-ROOT-CLARITY</code> verifies (a) consumer’s
<code>CLAUDE.md</code> opens with the inheritance pointer, (b)
constitution submodule’s three files are present at the expected path,
(c) no <code>## INHERITED FROM</code> block in the constitution
submodule’s own files (those ARE the source-of-truth, not consumers).
Composes with §11.4.17.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>CONST-059</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. See constitution submodule
<code>Constitution.md</code> §11.4.35 for the full mandate.</p>
<h2
id="const-060-fetch-before-edit-mandate-cascaded-from-constitution-submodule-11.4.37">CONST-060:
Fetch-before-edit Mandate (cascaded from constitution submodule
§11.4.37)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-15): <em>“Make sure that
feedback_fetch_before_edit memory rule is part of our constitution
Submodule - the root Consitution, AGENTS.MD and CLAUDE.MD. Validate and
verify that Proejct-Toolkit and all Submodules do inherit all of them!
Follow the constitution Submodule documentation for details.”</em></p>
</blockquote>
<p>The FIRST git-touching action of every session, on every consuming
project (owned or third-party), MUST be:</p>
<div class="sourceCode" id="cb4"><pre
class="sourceCode bash"><code class="sourceCode bash"><span id="cb4-1"><a href="#cb4-1" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> fetch <span class="at">--all</span> <span class="at">--prune</span></span>
<span id="cb4-2"><a href="#cb4-2" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> log <span class="at">--oneline</span> HEAD..@{u}</span>
<span id="cb4-3"><a href="#cb4-3" aria-hidden="true" tabindex="-1"></a><span class="fu">git</span> submodule foreach <span class="at">--recursive</span> <span class="st">&#39;git fetch --all --prune --quiet&#39;</span></span></code></pre></div>
<p>If <code>HEAD..@{u}</code> is non-empty, integrate the upstream
changes BEFORE any local edit. Acting on stale local state produces
three failure modes documented in the originating §11.4.37 incident
(multi-agent / parallel-session work): (1) <strong>redundant
work</strong> — the agent re-does what a parallel session already
finished, (2) <strong>false confidence</strong> — completion reports for
already-done work, (3) <strong>divergent history</strong> — duplicate
sibling commits that double the conflict surface on next push.</p>
<p><strong>Anti-bluff invariant</strong>: the fetch+log check MUST
produce captured evidence — the actual <code>HEAD..@{u}</code> output,
even if empty. Skipping the check on the basis of “I just fetched” or
“nothing could have changed in the last N minutes” is a §11.4.6
(no-guessing) violation: the remote state is not knowable without a
fetch.</p>
<p><strong>Cascade requirement</strong>: This anchor (verbatim or by
<code>CONST-060</code> ID reference) MUST appear in every owned
submodule’s <code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to §11.4 PASS-bluff at the
parallel-session-coordination layer. See constitution submodule
<code>Constitution.md</code> §11.4.37 for the full mandate.</p>
<h2
id="positive-sink-side-downstream-evidence-mandate-cascaded-from-constitution-submodule-11.4.68">§11.4.68
— Positive Sink-Side / Downstream Evidence Mandate (cascaded from
constitution submodule §11.4.68)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“We still do not hear any
audio played from D3 device! Arvus Web Dashboard when we play music from
D3 shows nothing for Codec In Use! This MUST BE investigated and fixed!
How come we passed the tests with Arvus validation? What were values for
the Codec In Use field? Empty means nothing! This is not working! It
MUST BE FIXED, TESTED AND VERIFIED WITH FULL AUTOMATION TESTING
ASAP!!!”</em></p>
</blockquote>
<p>A test that asserts audio or video routing PASS MUST capture and
verify <strong>positive sink-side or downstream evidence</strong> —
never config-only, never metadata-only, never PCM-open-state-only. At
least one of the closed enumeration MUST be captured for every
audio/video routing PASS: (1) sink-side codec-state with non-empty
Codec-In-Use matching the expected codec regex; (2) strictly-positive
PCM frames-written delta from
<code>/proc/asound/.../status hw_ptr</code>; (3) ALSA ELD/EDID-Like-Data
showing negotiated channel count + format; (4) ffprobe-on-captured-mp4
with non-zero frame count + expected codec/resolution/fps; (5)
recording-analyzer event match per §11.4.2/§11.4.5; (6) tinycap RMS
amplitude above the line-level floor. Empty /
<code>&lt;unreachable&gt;</code> / <code>&lt;N.E.&gt;</code> /
<code>&lt;None&gt;</code> placeholders are NOT positive evidence; a
missing-but-required sink is <code>OPERATOR-BLOCKED</code>
(release-blocker), never SKIP, never PASS. No escape hatch — no
<code>--skip-sink-evidence</code>, <code>--allow-empty-codec</code>,
<code>--sink-unreachable-is-pass</code>,
<code>--metadata-only-suffices</code> flag exists.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.68</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
sink-side-evidence layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.68 for the
full mandate.</p>
<h2
id="subagent-driven-execution-is-the-default-cascaded-from-constitution-submodule-11.4.70">§11.4.70
— Subagent-Driven Execution Is The Default (cascaded from constitution
submodule §11.4.70)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“Always do if possible
Subagent-driven! Add this into our root (constitution Submodule)
Constitution.md, CLAUDE.md and AGENTS.md. This should be the default
choice ALWAYS!”</em></p>
</blockquote>
<p>When executing implementation plans (or any task-decomposed execution
flow), the <strong>default execution model is subagent-driven</strong>
per <code>superpowers:subagent-driven-development</code>. Inline
execution is permitted ONLY when (a) the task is trivial AND fits a
single sub-300-line edit, OR (b) the operator explicitly requests inline
at brainstorm-handoff time. Subagent-driven is the default because it
gives isolated context per task, naturally enforces two-stage review, is
parallel-PWU compatible (§11.4.58), creates an anti-bluff seam (§11.4),
and survives operator absence. No escape hatch —
<code>--inline-execution-required</code>, <code>--no-subagents</code>,
<code>--monolithic-execution</code> are NOT permitted flags. Skipping
subagent-driven for non-trivial work without recorded operator
authorisation is itself a §11.4 PASS-bluff.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.70</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
execution-model layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.70 for the
full mandate.</p>
<h2
id="pre-push-fetch-investigate-integrate-mandate-cascaded-from-constitution-submodule-11.4.71">§11.4.71
— Pre-Push Fetch + Investigate + Integrate Mandate (cascaded from
constitution submodule §11.4.71)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“before pushing changes to
any upstream for any repository - main repo or Submodule, we MUST fetch
and pull all changes. Once these are obtained WE MUST investigate what
is different compared to head position we were on last time before
fetching and pulling new changes! We MUST understand what is done and
for what purpose, easpecially how that does affect our project and our
System in general! Any mandatory changes or improvements required by
fresh changes we just have brough in MUST BE incorporated, covered with
all supported types of the tests which will produce as a result of its
success execution REAL PROOFS of working for all componetns and
functionalities covered and work fully in anti-bluff manner!”</em></p>
</blockquote>
<p>The everyday-push variant of §11.4.41. EVERY push (every repository —
main + every submodule) MUST follow the 5-step cycle: (1) fetch all
remotes (<code>git fetch --all --prune --tags</code>, capture stdout);
(2) pull all upstream branches whose tip differs, resolving conflicts
per consumer judgment (never
auto-<code>--ours</code>/<code>--theirs</code>); (3) investigate the
diff vs OUR previous HEAD — read EVERY foreign commit’s body, understand
what/why/how-it-affects-our-system; (4) integrate mandatory changes with
§11.4.4(b) four-layer coverage + §11.4.43 TDD-fix discipline, every PASS
carrying §11.4.5 captured-evidence (REAL PROOFS, not metadata-only); (5)
only then push, verifying with <code>git ls-remote</code> post-push. No
escape hatch — no <code>--skip-fetch</code>,
<code>--no-investigate</code>, <code>--fast-push</code>,
<code>--trust-upstream</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.71</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a §11.4 PASS-bluff at the
push-discipline layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.71 for the
full mandate.</p>
<h2
id="audio-top-priority-mandate-cascaded-from-constitution-submodule-11.4.72">§11.4.72
— Audio Top-Priority Mandate (cascaded from constitution submodule
§11.4.72)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“Make sure all fixes for
audio are always top priority in main working stream!”</em></p>
</blockquote>
<p>The conductor (main working stream — Claude Code session, AI agent,
or human operator) MUST treat audio fixes as the highest-priority class
on the serial dispatch queue. Any time the conductor faces a choice
between dispatching an audio task vs a non-audio task on the SAME serial
resource, the audio task wins. Parallel BACKGROUND subagents (research,
refactors, infrastructure documentation) MAY run concurrently with audio
work but do NOT preempt audio on the main-stream serial dispatch queue.
No escape hatch — there is no “but this non-audio task is faster” or
“but this research is more interesting” override; audio-stack
regressions are user-perceptible and high-impact while research and
refactors can wait.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.72</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a process violation at
the dispatch-priority layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.72 for the
full mandate.</p>
<h2
id="main-specification-document-versioning-revision-discipline-cascaded-from-constitution-submodule-11.4.73">§11.4.73
— Main-Specification Document Versioning + Revision Discipline (cascaded
from constitution submodule §11.4.73)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“Make sure everything we add
now in previous and upcoming requests IS ALWAYS applied to the main
specification — if we have one. Since all these are not major changes we
could increase Specification version per change for secondary version
instead of the primary. Primary version MUST BE increased for much
bigger levels of changes! Add this into root (constitution Submodule)
Constitution.md, CLAUDE.md and AGENTS.md as mandatory rule / constraint
applicable ONLY IF we have something like the main specification
document or we do recognize something like the main specification
document. Document MUST BE updated ALWAYS to follow the versioning rules
we are appling here + revision and other properties we have!”</em></p>
</blockquote>
<p>Applies <strong>only when a project recognises a main specification
document</strong>. When it does: (1) every additive operator
requirement, refinement, or accepted recommendation MUST be applied to
the spec before or as part of the implementing work; (2) spec versioning
has two axes — <em>primary</em> (V1/V2/V3, bumped for major rewrites by
explicit operator decision, old versions archived) and
<em>secondary</em> (the §11.4.61 metadata-table <code>Revision</code>
integer, bumped for every other change); (3) the metadata table MUST
stay current (<code>Revision</code>, <code>Last modified</code>,
<code>Status summary</code>, <code>Fixed</code>); (4) propagated copies
of the rule MUST reference the active
<code>specification.V&lt;primary&gt;.md</code>, not a stale archive; (5)
on primary bump the old file moves to
<code>&lt;spec-dir&gt;/archive/</code> with
<code>Status: superseded</code>. Classification: universal, applicable
conditionally per the scope condition.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.73</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a release blocker when a
project has a main spec and lets it drift. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.73 for the full mandate.</p>
<h2
id="submodule-catalogue-first-discovery-extend-dont-reimplement-cascaded-from-constitution-submodule-11.4.74">§11.4.74
— Submodule-Catalogue-First Discovery + Extend-Don’t-Reimplement
(cascaded from constitution submodule §11.4.74)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“We MUST ALWAYS check which
already developed features / functionalities do exist as a part of our
comprehensive Submodules catalogue located in vasic-digital and
HelixDevelopment organizations on GitHub and GitLab both! Project MUST
BE aware of all its existence so we do not implement same things
multiple times if they are already done as some of existing universal,
reusable general development purpose Submodules! For any missing
features that some Submodules we incorporate may be missing we MUST
IMPLEMENT the properly and extend those Submodules furter! We do control
all of the and we CAN and MUST maintain and extend the regularly! All
development cycle rules we have MUST BE applied to them and fully
respected!”</em></p>
</blockquote>
<p>Before scaffolding ANY new module, package, helper, or utility, the
contributor (human or AI agent) MUST: (1) survey the canonical Submodule
catalogue — <code>vasic-digital</code> and <code>HelixDevelopment</code>
on both GitHub AND GitLab; (2) inventory existing Submodules; (3) reuse
before reimplement — if a Submodule provides the functionality (or 80%+
of it), add it as a Git submodule rather than write fresh; (4) extend
in-place when 80%+ matches but features are missing — add the missing
features TO THAT SUBMODULE (PR upstream + bump pointer), never as a
duplicating consuming-project helper; (5) apply all development-cycle
rules to those Submodules; (6) document the survey result in the
feature’s tracker entry with a <code>Catalogue-Check:</code> field
(<code>reuse &lt;org/repo&gt;@&lt;sha&gt;</code> /
<code>extend &lt;org/repo&gt;@&lt;sha&gt;</code> /
<code>no-match &lt;date&gt;</code>). Classification: universal.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.74</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Severity-equivalent to a process violation;
duplicate implementations landed without catalogue check are release
blockers. <strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.74 for the full mandate.</p>
<hr />
<h2
id="universal-sink-side-positive-evidence-taxonomy-mechanical-enforcement-cascaded-from-constitution-submodule-11.4.69">§11.4.69
— Universal Sink-Side Positive-Evidence Taxonomy + Mechanical
Enforcement (cascaded from constitution submodule §11.4.69)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“THIS MUST HAPPEN NEVER
AGAIN!!! We MUST HAVE this all working! Not just for audio but for every
single piece of the System!!! Proper full automation when executed with
success MUST MEAN that manual testing will be as much positive at least
regarding the success results! … Solution MUST BE universal, generic
that solves working flows for all System components and for all future
and all existing projects! … Everything we do MUST BE validated and
verified with rock-solid proofs and anti-bluff policy enforcement and
fulfillment!”</em></p>
</blockquote>
<p>Universal generalisation of §11.4.68 (audio-specific) across every
user-visible feature class. Every user-visible feature MUST map to one
entry in the closed-set §11.4.69 sink-side evidence taxonomy
(<code>audio_output</code>, <code>audio_input</code>,
<code>video_display</code>, <code>network_throughput</code>,
<code>network_connectivity</code>, <code>bluetooth_a2dp</code>,
<code>bluetooth_pair</code>, <code>touch_input</code>,
<code>sensor</code>, <code>gpu_render</code>, <code>storage_read</code>,
<code>storage_write</code>, <code>mediacodec_decode</code>,
<code>mediacodec_encode</code>, <code>miracast</code>,
<code>cast</code>, <code>boot_service</code>,
<code>package_install</code>, <code>permission_grant</code>,
<code>wifi_link</code>, <code>wifi_throughput</code>,
<code>ethernet_link</code>, <code>display_topology</code>,
<code>drm_playback</code>, <code>subtitle_render</code> — open to
additions, never contraction). Every PASS for a feature in the taxonomy
MUST cite a captured-evidence artefact path matching the required
evidence shape. New helper contracts (additive during grace, mandatory
after 2026-06-19):
<code>ab_pass_with_evidence &lt;description&gt; &lt;evidence_path&gt;</code>
(verifies path exists + non-empty),
<code>ab_skip_with_reason &lt;description&gt; &lt;closed-set-reason&gt;</code>
(reasons: <code>geo_restricted</code>, <code>operator_attended</code>,
<code>hardware_not_present</code>, <code>topology_unsupported</code>,
<code>network_unreachable_external</code>,
<code>feature_disabled_by_config</code>; forbids
<code>network_unreachable_external</code> for any taxonomy feature with
a sink-side probe); bare <code>ab_pass</code> deprecated (WARN
pre-grace, FAIL post-grace). Three pre-build gates + paired §1.1
mutations: <code>CM-SINK-EVIDENCE-PER-FEATURE</code>,
<code>CM-NO-FAIL-OPEN-SKIP</code>,
<code>CM-AB-PASS-WITH-EVIDENCE-EVERYWHERE</code>. No escape hatch — no
<code>--skip-evidence</code>, <code>--config-only-pass</code>,
<code>--allow-fail-open-skip</code>,
<code>--legacy-ab-pass-permitted</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.69</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-69-PROPAGATION</code> enforces the anchor literal
across the consumer fleet; paired mutation strips the literal → gate
FAILs. Severity-equivalent to a §11.4 PASS-bluff at the
sink-side-evidence layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.69 for the
full mandate.</p>
<hr />
<h2
id="mechanical-enforcement-without-exception-cascaded-from-constitution-submodule-11.4.75">§11.4.75
— Mechanical Enforcement Without Exception (cascaded from constitution
submodule §11.4.75)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“Why do these violations
still happen!? This is a serious problem! We cannot rely on stability
nor consistency if we cannot respect our Constitution, mandatory rules
and constraints! Is there a way to make this always respected, followed
and applied without exception fully and unconditionally!? WE MUST HAVE
THIS WORKING FLAWLESSLY!!! Do investigate the root causes of such
problems! Once all problems are identified WE MUST apply proper
mechanisms for this not to happen NEVER EVER AGAIN!”</em></p>
</blockquote>
<p>The §11.4 covenant historically relied on agent + operator vigilance;
three 2026-05-19→20 forensic incidents proved that late-binding
enforcement fires hours-to-days after the violator commit reaches every
remote. §11.4.75 closes the gap with FIVE independent mechanical
enforcement layers — bypassing any single layer does not bypass the
discipline: (1) local <code>pre-commit</code> git hook (refuses staged
<code>.md</code> lacking sibling <code>.html</code>+<code>.pdf</code>);
(2) <code>commit_all.sh</code> integration
(<code>_constitution_sibling_check</code> +
auto-<code>sync_all_markdown_exports.sh</code> self-repair); (3) local
<code>pre-push</code> git hook (re-runs siblings + propagation-gate
subset); (4) <code>post-commit</code> auto-repair hook (auto-generates
orphan-<code>.md</code> siblings, idempotent + recursion-guarded); (5)
local-only final-gate ritual (remote CI DISABLED per User mandate —
operator runs <code>pre_build_verification.sh</code> + meta-test before
every tag per §11.4.40). Helper contracts:
<code>scripts/install_git_hooks.sh</code>,
<code>scripts/git_hooks/{pre-commit,pre-push,post-commit,commit-msg}</code>,
<code>_constitution_sibling_check</code>. The <code>commit-msg</code>
hook enforces a <code>Bypass-rationale: &lt;reason&gt;</code> footer
when <code>--no-verify</code> is detected;
<code>docs/audit/bypass_events.md</code> accumulates the audit trail.
Five gates with paired §1.1 mutations:
<code>CM-COVENANT-114-75-PROPAGATION</code>,
<code>CM-GIT-HOOKS-INSTALL-SCRIPT</code>,
<code>CM-GIT-HOOKS-SOURCE-DIR</code>,
<code>CM-COMMIT-ALL-SIBLING-CHECK</code>,
<code>CM-CI-WORKFLOW-PRESENT</code>. No escape hatch — no
<code>--skip-hooks</code>, <code>--bypass-enforcement</code>,
<code>--allow-orphan-md</code>, <code>--ci-not-applicable</code>,
<code>--mechanical-enforcement-not-needed</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.75</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-75-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Severity-equivalent to a §11.4 PASS-bluff at the
enforcement layer. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.75 for the full
mandate.</p>
<hr />
<h2
id="containers-submodule-mandate-cascaded-from-constitution-submodule-11.4.76">§11.4.76
— Containers-Submodule Mandate (cascaded from constitution submodule
§11.4.76)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“For any work or requirements
of running services or codebase inside the Containers (Docker / Podman /
Qemy / Emulators, and so on) we MUST USE / INCORPORATE the Containers
Submodule properly: https://github.com/vasic-digital/containers
(git@github.com:vasic-digital/containers.git). Containers Submodule
contains all means for us to Containerize our code and services! If any
feature or Containing System is missing or not supported we MUST EXTEND
IT properly like we do all of our projects! No bluff work is allowed of
any kind!”</em></p>
</blockquote>
<p>For ANY containerized workload (Docker / Podman / Qemu / Kubernetes /
container-backed emulators), every consuming project MUST: (1) install
<code>vasic-digital/containers</code>
(<code>digital.vasic.containers</code>) as a Git submodule; (2) consume
via <code>replace</code> directive during development + pinned commit
SHAs in production; (3) boot infra on-demand via <code>pkg/boot</code> +
<code>pkg/compose</code> + <code>pkg/health</code> so operators are
never required to start <code>podman machine</code> /
<code>docker compose up</code> manually — the boot is part of the test
entry point (the on-demand-infra invariant); (4) extend the Submodule
(PR upstream) for missing runtimes / lifecycle primitives — never
reimplement in-project (per §11.4.74); (5) anti-bluff: integration tests
claiming to exercise containerized components MUST actually boot them
via the Submodule — short-circuit fakes that bypass boot are a §11.4
violation. Tracker rows touching containerization MUST record
<code>Catalogue-Check: extend vasic-digital/containers@&lt;sha&gt;</code>
(or <code>reuse</code>). Planned gate <code>CM-CONTAINERS-USED</code>
scans container-touching PRs for
<code>digital.vasic.containers/...</code> imports; paired mutation
strips the import + asserts FAIL.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.76</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-76-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.76 for the full
mandate.</p>
<hr />
<h2
id="regeneration-mechanism-required-mandate-cascaded-from-constitution-submodule-11.4.77">§11.4.77
— Regeneration-Mechanism-Required Mandate (cascaded from constitution
submodule §11.4.77)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“We must be sure that after
excluding anything from Git versioning we still have the mechanism which
will out of the box obtain or re-generate missing content!”</em></p>
</blockquote>
<p>Every <code>.gitignore</code> entry excluding (a) &gt;~100 MiB OR (b)
any artefact essential to building / running / testing the project MUST
carry a documented + automated mechanism to either re-obtain (download
from authoritative source: vendor tarball, SDK installer,
npm/pip/cargo/go-mod/container registry, dedicated git submodule,
S3/GCS) OR re-generate (run from tracked source via build pipeline,
code-gen, asset render, captured-evidence replay, container build).
Required artefacts per qualifying entry: (1)
<code>.gitignore-meta/&lt;entry-slug&gt;.yaml</code> declaring pattern +
mechanism-type + script-path + expected-disk-usage +
vendor-url-or-source + integrity hash + requires-network +
requires-credentials; (2) a non-interactive entry in
<code>scripts/setup.sh</code> post-clone bootstrap; (3) a pre-build gate
verifying regenerated content present OR a recent
<code>.gitignore-meta/.regenerated/&lt;slug&gt;.ok</code> stamp; (4)
README + <code>docs/guides/*.md</code> describing the mechanism + manual
fallback + time/disk budget + §11.4.10 credentials. Bare
<code>.gitignore</code> additions without the mechanism are a §11.4
PASS-bluff variant — codebase appears complete but a fresh clone cannot
build/run. No escape hatch — no <code>--skip-regen-mechanism</code>,
<code>--gitignore-is-enough</code>,
<code>--operator-already-has-content</code> flag. Planned gate
<code>CM-GITIGNORE-REGEN-MECHANISM</code> + paired §1.1 mutation (strip
a required YAML key → gate FAILs).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.77</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-77-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Severity-equivalent to a §11.4 PASS-bluff at the
repository-hygiene layer. <strong>Canonical authority:</strong>
constitution submodule <code>Constitution.md</code> §11.4.77 for the
full mandate.</p>
<hr />
<h2
id="codegraph-code-intelligence-mandate-cascaded-from-constitution-submodule-11.4.78">§11.4.78
— CodeGraph Code-Intelligence Mandate (cascaded from constitution
submodule §11.4.78)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-20): <em>“Make codegraph MANDATORY
CHOICE for this purpose for all of our project … All project which do
not have configured and installed codegraph yet MUST DO IT and MUST USE
IT!”</em></p>
</blockquote>
<p>Every consuming project worked on by AI coding agents MUST install,
initialize, and use <strong>CodeGraph</strong>
(<code>https://github.com/colbymchenry/codegraph</code>, npm
<code>@colbymchenry/codegraph</code>) — a local SQLite semantic
code-knowledge-graph exposed to agents over MCP (100% local, no cloud).
(1) Install globally via npm with a user-writable npm prefix (no
<code>sudo</code>). (2) <code>codegraph init</code> +
<code>codegraph index</code>: <code>.codegraph/config.json</code> is
tracked, <code>.codegraph/codegraph.db</code> is gitignored with
<code>codegraph index</code> as its §11.4.77 regeneration mechanism; the
<code>config.json</code> <code>exclude</code> list MUST exclude every
credential/secret path per §11.4.10. (3) Wire
<code>codegraph serve --mcp</code> into every CLI agent (Claude Code
<code>.mcp.json</code>, OpenCode <code>opencode.json</code>, Qwen Code
<code>.qwen/settings.json</code>, Crush <code>.crush.json</code>,
host-local otherwise) referencing the bare <code>codegraph</code>
command on <code>PATH</code> (no hardcoded host path). (4) Cover the
integration with an anti-bluff suite whose per-agent end-to-end layer
uses an unforgeable challenge (a fact obtainable only by calling a
CodeGraph MCP tool, e.g. index node count via
<code>codegraph_status</code>); a genuinely un-drivable agent is a
documented SKIP per §11.4.3, never a faked PASS. (5) Document in
<code>docs/CODEGRAPH.md</code>, kept in sync per §11.4.12 / §11.4.65.
CodeGraph is consumed as the published npm package (§11.4.74) — not a
git submodule, adds no Git remote. Planned gate
<code>CM-CODEGRAPH-WIRED</code> + paired §1.1 mutation (strip a
secret-exclusion → gate FAILs).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.78</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-78-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.78 for the full
mandate.</p>
<hr />
<h2
id="own-org-submodules-must-be-included-in-the-codegraph-index-cascaded-from-constitution-submodule-11.4.79">§11.4.79
— Own-Org Submodules MUST Be Included in the CodeGraph Index (cascaded
from constitution submodule §11.4.79)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-21): <em>“All Submodules we use in the
project and that are part of organizations to which we have the full
access via GitHub, GitLab and other CLIs MUST BE included into the
codegraph database and initialized / scanned / synced!”</em></p>
</blockquote>
<p>Refines §11.4.78’s exclude-list with a per-submodule-ownership split:
(a) own-org submodules (full write access via the project’s CLIs —
canonical orgs <code>vasic-digital</code> +
<code>HelixDevelopment</code>) MUST be INCLUDED in the index; (b)
third-party submodules (the §11.4.74 <code>no-match → vendor</code>
path) MUST be EXCLUDED. Operational steps: (1)
<code>git submodule update --remote --merge</code> to pull latest before
re-indexing, respecting load-bearing pins on third-party submodules; (2)
adjust <code>.codegraph/config.json</code> exclude list to keep own-org
paths in scope; (3) re-index via
<code>scripts/codegraph_setup.sh</code>; (4) verify via
<code>scripts/codegraph_validate.sh</code> with ≥1 probe resolving a
symbol living ONLY inside an own-org submodule; (5) paired §1.1 mutation
— temporarily add the own-org submodule to exclude → validate MUST FAIL
on the cross-submodule probe → restore. An index that lies about
reachable symbols is a PASS-bluff against AI agents. Own-org submodules
silently excluded without an audit trail in
<code>.codegraph/config.json</code> comments is a release blocker.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.79</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-79-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.79 for the full
mandate.</p>
<hr />
<h2
id="codegraph-regular-update-sync-automation-mandate-cascaded-from-constitution-submodule-11.4.80">§11.4.80
— CodeGraph Regular-Update + Sync Automation Mandate (cascaded from
constitution submodule §11.4.80)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-21): <em>“We MUST regularly check for
the updates and execute codegraph npm updates so the latest version of
it is always installed on the host machine! … Make sure we have proper
full automation bash scripts which will run regularly and that these are
part of the constitution Submodule … Make sure all updates, sync
processes we do and important codegraph related events are all
documented under docs/codegraph in Status and Status_Summary documents …
and regularly export them like all other Status docs into the PDF and
HTML!”</em></p>
</blockquote>
<p>Three deliverables (all living in the constitution submodule,
inherited by reference per §3 — consuming projects invoke at
<code>${CONST_DIR}/scripts/codegraph_*.sh</code>, never copy): (1)
<code>scripts/codegraph_update.sh</code> — npm-installs latest
<code>@colbymchenry/codegraph</code> after a registry version check;
appends old/new version to <code>docs/codegraph/Status.md</code>;
anti-bluff verifies <code>codegraph --version</code> reflects the new
version after install (npm exit 0 ≠ working binary). (2)
<code>scripts/codegraph_sync.sh</code> — after a successful update runs
<code>codegraph status</code> → <code>codegraph sync .</code> →
<code>codegraph status</code> → the project’s
<code>scripts/codegraph_validate.sh</code>; appends every step’s output
to BOTH the project’s and the constitution’s
<code>docs/codegraph/Status.md</code>. (3)
<code>docs/codegraph/Status.md</code> + <code>Status_Summary.md</code>
append-only ledgers, exported to <code>.html</code> + <code>.pdf</code>
per §11.4.65. Cadence: weekly floor (per §11.4.45). A consuming project
that has not run <code>codegraph_update.sh</code> in &gt;2 weeks AND has
open AI-agent work is a release blocker. Paired §1.1 mutation: downgrade
installed version → script detects drift → restore.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.80</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-80-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. <strong>Canonical authority:</strong> constitution
submodule <code>Constitution.md</code> §11.4.80 for the full
mandate.</p>
<hr />
<h2
id="cross-platform-parity-mandate-cascaded-from-constitution-submodule-11.4.81">§11.4.81
— Cross-Platform-Parity Mandate (cascaded from constitution submodule
§11.4.81)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-21): <em>“Any Linux-only blocker /
issue we have MUST BE created macOS and other supported platforms
equivalent! So, depending on platform proper implementation will be used
for particular OS! EVERYTHING MUST BE PROPERLY EXTENDED AND
UPDATED!”</em></p>
</blockquote>
<p>Every consuming project whose supported-platforms manifest lists more
than one OS MUST, for every feature/test/gate/challenge/mutation
depending on platform-specific primitives, ship a per-OS-equivalent
implementation chosen at runtime via <code>uname -s</code> (or
equivalent detection). Three sub-mandates: <strong>(A) Per-OS
implementation REQUIRED</strong> — Linux
cgroup/systemd/<code>/proc</code> primitives MUST have documented per-OS
equivalents (POSIX <code>setrlimit</code>/<code>ulimit</code>, macOS
<code>launchd</code>, BSD <code>rctl</code>, Windows Job Object) chosen
via runtime dispatch. <strong>(B) Per-OS tests REQUIRED</strong> — every
platform-dependent gate test MUST have
<code>case "$(uname -s)" in</code> branches with positive captured
evidence per §11.4.2 + §11.4.5 in each branch; SKIP-with-reason
acceptable ONLY when the platform genuinely cannot enforce the
invariant. <strong>(C) Honest kernel-gap citation + adjacent equivalent
test REQUIRED</strong> — where a Linux primitive has NO equivalent due
to a documented kernel limitation (canonical: XNU does not enforce
<code>RLIMIT_AS</code> for unprivileged processes), the test MUST detect
the gap at runtime, SKIP with exact kernel reason + reproducer +
honest-gap-doc link, AND provide an ADJACENT test exercising the closest
invariant the platform CAN enforce
(e.g. <code>RLIMIT_CPU</code>+<code>SIGXCPU</code> as the macOS proxy),
itself anti-bluff with a paired §1.1 mutation. Gate
<code>CM-CROSS-PLATFORM-PARITY</code> scans for
<code>case "$(uname -s)"</code> blocks asserting a non-SKIP branch (or
honest-gap citation) per platform in the manifest; paired mutation
strips a Darwin branch → gate FAILs. No escape hatch.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.81</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-81-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker on multi-platform projects.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.81 for the full mandate.</p>
<hr />
<h2
id="iteration-speedup-discipline-mandate-cascaded-from-constitution-submodule-11.4.82">§11.4.82
— Iteration-Speedup Discipline Mandate (cascaded from constitution
submodule §11.4.82)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-22): <em>“How can we speed-up this
whole development and fixing process? … Do not forget to all speed
optimizations critical rules and mandatory constraints MUST BE all added
into our root (constitution Submodule) Constitution.md, CLAUDE.md,
AGENTS.md and QWEN.md and all other relevant constitution Submodules
files!”</em></p>
</blockquote>
<p>Iteration cycle time is a first-order quality enabler. Every
consuming project’s build / test / commit / debug pipeline MUST adopt
these speedup disciplines AS MANDATORY (each independently enforceable):
(A) Phase-1 forensic (<code>superpowers:systematic-debugging</code>)
before any speculative source patch — speculative patches without
FACT-grade root cause are §11.4.6 + §11.4.82 violations; (B)
Live-ADB-First (or live-equivalent) before any rebuild — strengthens
§11.4.51 to a release-blocker mandate; (C) 30-second pre-flight before
launching rebuild orchestrators (device/sink reachability, host
memory/disk, no stale locks, no orphan processes); (D) persistent build
caches outside containers
(<code>ccache</code>/<code>sccache</code>/Gradle daemon bind-mounted to
host); (E) module-only rebuild for loadable-module-only changes; (F)
parallel multi-device testing with separate
<code>qa-results/&lt;TS&gt;/&lt;device-tag&gt;/</code> outputs; (G)
subagent scope discipline + worktree isolation (≤30 min budget,
single-responsibility, <code>isolation: "worktree"</code> default); (H)
lock-file + stale-process hygiene (clean <code>.git/index.lock</code>,
disable auto git-gc in concurrent repos); (I) cycle telemetry per
§11.4.24 (commit hash, per-phase wall-clock, speedup-flag set, outcome —
aggregated weekly). Gate <code>CM-ITERATION-SPEEDUP-DISCIPLINE</code>
audits recent cycles for telemetry citing which of (A)-(I) applied;
paired §1.1 mutation strips the speedup-flag column → gate FAILs. No
escape hatch — no <code>--skip-phase1-forensic</code>,
<code>--no-pre-flight</code>, <code>--rebuild-everything-always</code>,
<code>--unlimited-subagent-scope</code>, <code>--ignore-locks</code>,
<code>--no-telemetry</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.82</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-82-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.82 for the full mandate.</p>
<hr />
<h2
id="docsqa-end-user-evidence-mandate-cascaded-from-constitution-submodule-11.4.83">§11.4.83
— docs/qa/ End-User Evidence Mandate (cascaded from constitution
submodule §11.4.83)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-22): <em>“every feature that ships
MUST carry a recorded e2e communication transcript + any attached
materials under <code>docs/qa/&lt;run-id&gt;/</code> (per-feature
subdirectories). A feature with no QA transcript is itself a §107
PASS-bluff — it claims to work but has no auditable runtime evidence.
Bot-driven automation MUST preserve full bidirectional communication
threads as proof.”</em></p>
</blockquote>
<p>Every feature that ships MUST carry a recorded end-to-end
communication transcript plus any attached materials (screenshots,
request/response payloads, audio, file uploads) committed under
<code>docs/qa/&lt;run-id&gt;/</code> — one directory per feature run.
Operative rule: (1) every consuming project MUST maintain a
<code>docs/qa/</code> tree, each new feature under
<code>docs/qa/&lt;run-id&gt;/</code> where <code>&lt;run-id&gt;</code>
is monotonic + greppable (timestamp / ATM-NNN / other workable-item ID
per §11.4.54); (2) transcripts MUST be full bidirectional — every
prompt/command sent + every response received (one-sided is not a
transcript); (3) attached materials MUST be committed in-repo (no
external-only links — that is a §11.4.13 sink-side violation); (4)
bot-driven / agent-driven QA automation MUST preserve the full
conversation thread as the proof artefact; (5) release gates MUST refuse
to tag a version that has any feature-shipping commit without its
matching <code>docs/qa/&lt;run-id&gt;/</code> directory. A feature with
no QA transcript is a §11.4 / §107 PASS-bluff. Composes with §11.4.2 /
§11.4.5 / §11.4.13 / §11.4.65 / §11.4.69 / §1.1.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.83</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-83-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no
<code>--qa-evidence-optional</code> escape hatch. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.83 for the full mandate.</p>
<hr />
<h2
id="working-tree-quiescence-rule-for-subagent-commits-cascaded-from-constitution-submodule-11.4.84">§11.4.84
— Working-Tree Quiescence Rule for Subagent Commits (cascaded from
constitution submodule §11.4.84)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-22): <em>“no subagent commit may
proceed while any concurrent mutation gate is in flight in the same
checkout. Before <code>git add</code>, the committing agent MUST
<code>grep</code> its own working tree for mutation markers
(<code>MUTATED for paired</code>, <code>// always pass</code>,
<code>return json.Marshal</code> shortcut paths, etc.). Any unexplained
file in the staging area triggers ABORT.”</em></p>
</blockquote>
<p>No subagent (or main-thread) commit may proceed while any concurrent
mutation gate, paired-mutation experiment, or other in-flight mutation
is live in the same checkout. Before <code>git add</code>, the
committing agent MUST grep its own working tree for mutation markers
(<code>MUTATED for paired</code>, <code>// always pass</code>,
<code>return json.Marshal</code> shortcut paths,
<code>// MUTATION</code> / <code># MUTATION</code> annotations,
<code>_mutated_*</code> filename suffixes, etc.) and explicitly account
for every modified file in the staging area; any unexplained file →
ABORT. (Forensic case: a logo-fix subagent’s <code>git add</code> swept
an <code>// always pass</code> JWT-verify mutation residue into an
unrelated commit pushed to all four mirrors — a real security-defect
window.) Operative rule: (1) pre-<code>git add</code> greps for mutation
markers + cross-checks <code>git status --porcelain</code> against the
subagent’s declared scope; unaccounted entries → ABORT; (2) any active
mutation gate MUST be serialised (mutate → assert FAIL → restore →
assert PASS) and the working tree verifiably clean before any unrelated
commit; (3) concurrent subagents in the SAME checkout MUST coordinate
through a lockfile (<code>.git/MUTATION_IN_PROGRESS</code>) — cleaner
solution is <code>git worktree add</code> per subagent (composes with
§11.4.20/§11.4.70); (4) post-commit
<code>mutation-residue-scanner</code> MUST run before push — any commit
containing a mutation marker → push BLOCKED.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.84</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-84-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. A mutation marker that lands in a tagged commit is
a critical defect regardless of how briefly it persisted.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.84 for the full mandate.</p>
<hr />
<h2
id="stress-chaos-test-mandate-cascaded-from-constitution-submodule-11.4.85">§11.4.85
— Stress + Chaos Test Mandate (cascaded from constitution submodule
§11.4.85)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-24): <em>“Every fix or improvement you
do MUST BE covered with full automation stress and chaos tests so we are
sure nothing can break the functionality and all edge cases are
monitored and polished and additionally fixed if that is needed!
Everything must produce rock solid proofs and follow fully no-bluff
policy!”</em></p>
</blockquote>
<p>Every fix or improvement landed MUST ship with full-automation
<strong>stress</strong> AND <strong>chaos</strong> test suites
exercising edge cases, sustained load, concurrent contention, and
failure-injection. Happy-path coverage alone is a §11.4 / §107
PASS-bluff at the resilience layer. <strong>Stress</strong>
(closed-set): sustained load (N ≥ 100 iterations OR ≥ 30 s wall-clock,
p50/p95/p99 latency recorded) + concurrent contention (N ≥ 10 parallel
invocations, no deadlock/leak) + boundary conditions
(empty/max/off-by-one, each categorised). <strong>Chaos</strong>
(closed-set, per fix-class appropriateness): process-death injection +
network-fault injection (drop/delay/reorder) + input-corruption
injection + resource-exhaustion injection (disk full, OOM, FD exhaustion
— refuse cleanly OR degrade, NEVER crash) + state-corruption injection
(mid-flight lock loss, partial-write). Every stress + chaos PASS MUST
cite a captured-evidence artefact path per §11.4.5 + §11.4.69. Helper
library <code>stress_chaos.sh</code> provides
<code>ab_stress_run</code>, <code>ab_stress_concurrent</code>,
<code>ab_chaos_kill_pid_during</code>,
<code>ab_chaos_drop_network_during</code>,
<code>ab_chaos_corrupt_file_during</code>,
<code>ab_chaos_oom_pressure_during</code>,
<code>ab_chaos_disk_full_during</code>, each composing with
<code>ab_pass_with_evidence</code> / <code>ab_skip_with_reason</code>.
Cleanup non-negotiable in <code>trap '...' EXIT</code> (cleanup failure
= §11.4.14 violation). Four-layer coverage per §11.4.4(b) + paired §1.1
mutation (strip chaos-injection or evidence-capture → gate FAILs). No
escape hatch — no <code>--skip-stress</code>, <code>--no-chaos</code>,
<code>--happy-path-suffices</code>, <code>--stress-test-later</code>
flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.85</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-85-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.85 for the full mandate.</p>
<hr />
<h2
id="rostercorpus-backed-status-doc-auto-sync-mandate-cascaded-from-constitution-submodule-11.4.86">§11.4.86
— Roster/Corpus-Backed Status-Doc Auto-Sync Mandate (cascaded from
constitution submodule §11.4.86)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-25): <em>“Make sure that assets and
players Status docs are ALWAYS regularly updated and in sync like all
others Status docs — any time we add or modify the assets content(s) or
we change or add new / remove existing pre-installed video and audio
player apps! This MUST WORK OUT OF THE BOX!”</em></p>
</blockquote>
<p>Some Status docs (§11.4.45) are backed by a tracked roster (installed
apps/components) or a tracked asset corpus (test/media asset directory)
rather than narrative alone. Their freshness MUST NOT depend on operator
vigilance — the moment a roster/corpus member changes (app
added/removed/renamed; asset added/modified/removed) the Status doc +
Status_Summary + HTML + PDF MUST resync out of the box, mechanically.
Mechanism (all must hold): (1) drift-proof fingerprint — sha256 of the
sorted member list (NOT mtime), persisted in a sidecar beside the Status
doc; (2) a sync helper that regenerates the fingerprint + re-exports
HTML+PDF via the §11.4.65 exporter, wired so sync is automatic; (3) a
pre-build gate that FAILs when the live fingerprint differs from the
persisted one (mirrors §11.4.12 <code>CM-ISSUES-SUMMARY-SYNC</code> +
§11.4.45 <code>sync_integration_status</code>); (4) a paired §1.1
mutation corrupting the fingerprint and asserting the gate FAILs.
Classification: universal — the consuming project supplies the specific
docs, roster/corpus sources, helper, and gate name per §11.4.35.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.86</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-86-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no
<code>--skip-roster-sync</code>, <code>--allow-status-drift</code>,
<code>--roster-sync-not-applicable</code> flag. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.86 for the full mandate.</p>
<hr />
<h2
id="endless-loop-autonomous-work-zero-idle-agent-dispatch-anti-bluff-testing-mandate-cascaded-from-constitution-submodule-11.4.87">§11.4.87
— Endless-Loop Autonomous Work + Zero-Idle Agent Dispatch + Anti-Bluff
Testing Mandate (cascaded from constitution submodule §11.4.87)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-26): <em>“continue in endless loop
fully autonomously”</em> (and any semantically-equivalent phrasing).</p>
</blockquote>
<p>When the operator instructs an AI agent to continue in an endless
autonomous loop, the agent MUST treat it as a HARD-CONTRACT covenant:
(A) continue working until <code>docs/Issues.md</code> Status-column has
zero non-terminal entries AND <code>docs/CONTINUATION.md</code> §3
Active work is empty AND no background subagent is mid-execution AND no
external dependency is in-flight; (B) dispatch background subagents for
parallelisable work — main + every subagent operate concurrently,
“waiting for results” is the ONLY acceptable idle reason; (C) every
closure lands four-layer test coverage per §11.4.4(b) with
captured-evidence (audio/video/network/UI/sysfs physical proofs); (D)
the §11.4 anti-bluff covenant family (§11.4.1 / §11.4.2 / §11.4.6 /
§11.4.7 / §11.4.27 / §11.4.50 / §11.4.52 / §11.4.68 / §11.4.69 /
§11.4.83) is the operative truth-discipline — tests AND HelixQA
Challenges bound equally; (E) the loop terminates ONLY on
all-conditions-met, explicit operator STOP, host-session-safety demand,
or scheduled wake on a known-future-actionable signal. No escape hatch —
no <code>--idle-OK</code>, <code>--skip-endless-loop</code>,
<code>--bluff-permitted-for-this-task</code>,
<code>--metadata-only-test-suffices</code>,
<code>--no-physical-proof-required</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.87</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-87-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.87 for the full mandate.</p>
<hr />
<h2
id="background-push-mandate-commit-lock-release-immediately-after-commit-push-runs-detached-cascaded-from-constitution-submodule-11.4.88">§11.4.88
— Background-Push Mandate: Commit-Lock Release Immediately After Commit,
Push Runs Detached (cascaded from constitution submodule §11.4.88)</h2>
<p>Forensic anchor (2026-05-26): a single <code>commit_all.sh</code>
held its flock ~5 hours because <code>do_push</code> ran synchronously
after the commit landed — every subsequent commit blocked on a slow
mirror push irrelevant to the local commit’s durability. Implementation
seam for §11.4.87(B) zero-idle. The mandate: (A)
<code>.git/.commit_all.lock</code> MUST be released IMMEDIATELY after
<code>git commit</code> returns 0 — the commit is durable on local disk
regardless of remote push outcome; (B) push runs detached via
<code>nohup ./push_all.sh ... &gt; &lt;log&gt; 2&gt;&amp;1 &amp;</code>
+ <code>disown</code> — the orchestrator’s exit code reports COMMIT
success, NOT push success; (C) <code>push_all.sh</code> acquires
per-remote flock <code>.git/.push.&lt;remote&gt;.lock</code> so
concurrent invocations targeting the same remote serialize but
different-remote invocations run in parallel; (D) backgrounded push
failures land in
<code>qa-results/push_failures/&lt;ts&gt;_&lt;remote&gt;.log</code> —
the next autonomous-loop tick checks per §11.4.87(A) “no external
dependency in-flight” gate; (E) synchronous-push escape: explicit
<code>--sync-push</code> CLI flag preserves legacy behaviour for
§11.4.41 force-push merge-first audit paths. Gates
<code>CM-COVENANT-114-88-PROPAGATION</code> +
<code>CM-BACKGROUND-PUSH-WIRED</code> + paired §1.1 mutations.
Synchronous push (without <code>--sync-push</code>) = §11.4 PASS-bluff
at the execution layer.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.88</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-88-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no escape hatch beyond
<code>--sync-push</code> for force-push events. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.88 for the full mandate.</p>
<hr />
<h2
id="background-test-execution-mandate-cascaded-from-constitution-submodule-11.4.89">§11.4.89
— Background Test Execution Mandate (cascaded from constitution
submodule §11.4.89)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“Any tests we are executing,
especially long test cycles, MUST BE performed in background in parallel
with main work stream! This MUST NOT block our capabilities to work on
queued workable items. Main work stream can be blocked or sit iddle only
if absolutely needed and if it depends hard on results of some
background execution.”</em></p>
</blockquote>
<p>Symmetric anchor to §11.4.88 (background push) at the test-execution
layer. Mandate: (A) long-running tests (&gt;30 s expected:
<code>pre_build</code>, <code>meta_test</code>,
<code>test_all_fixes</code>, <code>recent_work_validate</code>, HelixQA
banks, 4-phase cycles, full-suite retests, audio supervisors,
dual-display recorders) MUST run via
<code>nohup ... &gt; &lt;log&gt; 2&gt;&amp;1 &amp;</code> +
<code>disown</code> with the log under a known dir
(<code>qa-results/&lt;test_id&gt;_&lt;ts&gt;.log</code>); (B) the main
stream proceeds to the §11.4.42 priority queue immediately; (C)
hard-dependency gating — poll an exit-status file or
<code>pgrep -af &lt;test&gt;</code> before steps that need the exit
code, surfacing as §11.4.66 interactive options if the test is still
running; (D) failures land in <code>&lt;log&gt;</code> files, the next
loop tick checks; (E) foreground execution permitted ONLY for &lt;30 s
tests OR explicit operator authorisation; (F) per-script flock
serialises same-script invocations, different-script invocations
parallel. Gates <code>CM-COVENANT-114-89-PROPAGATION</code> +
<code>CM-BACKGROUND-TEST-EXECUTION-WIRED</code> + paired §1.1
mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.89</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-89-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — no escape hatch beyond explicit
per-invocation operator authorisation. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.89 for the full mandate.</p>
<hr />
<h2
id="obsolete-status-per-item-obsolescence-audit-cascaded-from-constitution-submodule-11.4.90">§11.4.90
— Obsolete Status + Per-Item Obsolescence Audit (cascaded from
constitution submodule §11.4.90)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“Bug No 6 … seems obsolete
after latest request for new behavior … mark obsolete tickets with some
light gray background … text - the description to be strikethrough
styled … review all existing open or resolved workable items if they are
obsolete - not valid any more … There MUST NOT be any mistake! No bluff
is allowed of any kind!”</em></p>
</blockquote>
<p>The §11.4.15 Status closed-set is extended with a terminal
<code>Obsolete (→ Fixed.md)</code> value (orthogonal to Type per
§11.4.16). Obsolescence reasons (closed vocabulary):
<code>superseded-by-design-change | superseded-by-later-mandate | feature-removed | duplicate-of | unsupported-topology</code>.
Every Obsolete heading MUST carry an <code>**Obsolete-Details:**</code>
line (Since + Reason + Superseding-item + Triple-check evidence) within
8 non-blank lines. The §11.4.23 colorizer adds a
<code>cell-status-obsolete</code> class — light-gray
<code>#E0E0E0</code> background + strikethrough description. Audit
cadence: every release-gate sweep per §11.4.40 + §11.4.42; triple-check
is non-negotiable per the operator mandate. Composes with §11.4.15 /
§11.4.16 / §11.4.19 / §11.4.21 / §11.4.23 / §11.4.33 / §11.4.34 /
§11.4.40 / §11.4.42 / §11.4.66 / §11.4.71. Gates
<code>CM-COVENANT-114-90-PROPAGATION</code> +
<code>CM-ITEM-OBSOLETE-DETAILS</code> +
<code>CM-OBSOLETE-COLORIZER-WIRED</code> + paired §1.1 mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.90</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-90-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.90 for the full mandate.</p>
<hr />
<h2
id="summary-doc-clarity-mandate-cascaded-from-constitution-submodule-11.4.91">§11.4.91
— Summary-Doc Clarity Mandate (cascaded from constitution submodule
§11.4.91)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“Summary docs -
Issues_Summary some not clear one line descriptions - like ‘Composes
with’ … For each workable item we MUST HAVE clearly understandable
meaning … every team member can clearly understand what that particular
workable item is exactly about! There cannot be misunderstanding or
unclearity of any kind and no bluff allowed!”</em></p>
</blockquote>
<p>Every summary entry (Issues_Summary, Fixed_Summary, README doc-link,
Status_Summary pages 1+2, all one-liners) MUST contain a self-contained
meaningful description ≥ 6 words OR ≥ 40 chars naming SUBJECT +
PROBLEM/GOAL. Forbidden one-liner anti-patterns: section labels
(<code>Composes with</code>, <code>Closure criteria</code>,
<code>Fix direction</code>, etc.); bare metadata fragments
(<code>Critical</code>, <code>Bug</code>, <code>In progress</code>,
etc.); section-marker echoes; a §-letter alone. Generators
(<code>generate_issues_summary.sh</code> /
<code>generate_fixed_summary.sh</code> /
<code>update_readme_doc_links.sh</code> /
<code>generate_status_summary.sh</code>) MUST extract from the H1/H2
heading line per the §11.4.54 ATM-NNN convention, NEVER from arbitrary
downstream text, and MUST refuse anti-pattern rows — emitting a
<code>(MISSING DESCRIPTION — fix source heading)</code> placeholder with
visual highlight. Gate <code>CM-SUMMARY-CLARITY-DESCRIPTIONS</code>
scans every summary; an anti-pattern match = FAIL. Audit cadence: every
§11.4.40 + §11.4.42 sweep.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.91</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-91-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.91 for the full mandate.</p>
<hr />
<h2
id="multi-pass-change-evaluation-discipline-cascaded-from-constitution-submodule-11.4.92">§11.4.92
— Multi-Pass Change-Evaluation Discipline (cascaded from constitution
submodule §11.4.92)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“Every change to the project
or codebase we do MUST BE evaluated in several passes and in in-depth
analisys for potential new issues or problems it can introduce! … no
bluff of any kind! After we do change or set of changes this mandatory
steps MUST BE taken!”</em></p>
</blockquote>
<p>Every non-trivial change MUST pass a 5-pass evaluation BEFORE it is
commit-ready: <strong>(Pass 1)</strong> main-task verification — change
achieves the stated goal, captured-evidence per §11.4.5/§11.4.69;
<strong>(Pass 2)</strong> regression-blast-radius analysis — enumerate
every direct dependency, demonstrate no contract break; <strong>(Pass
3)</strong> cross-feature interaction analysis — audit parallel features
sharing state/timing/hardware/shell environment; <strong>(Pass
4)</strong> deep-research validation per §11.4.8 — external precedent OR
“NO external solution found — original work” + CodeGraph queries per
§11.4.78/§11.4.79; <strong>(Pass 5)</strong> anti-bluff confirmation per
§11.4 / §11.4.1 / §11.4.6 / §11.4.27 / §11.4.50 / §11.4.52 / §11.4.69 /
§11.4.83 — no new bluff surface introduced. Each pass is documented
(commit footers OR <code>docs/</code> entries OR
<code>qa-results/</code> evidence). Only after all 5 passes complete may
commit/push/test/release proceed. Trivial exemption: typo /
revision-bump / MD-export-regen IF zero source touched AND the commit
message cites the exemption explicitly. Gates
<code>CM-COVENANT-114-92-PROPAGATION</code> +
<code>CM-MULTI-PASS-EVALUATION-EVIDENCE</code> + paired §1.1
mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.92</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-92-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.92 for the full mandate.</p>
<hr />
<h2
id="sqlite-backed-single-source-of-truth-for-workable-items-cascaded-from-constitution-submodule-11.4.93">§11.4.93
— SQLite-Backed Single-Source-of-Truth for Workable Items (cascaded from
constitution submodule §11.4.93)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“There MUST be single source
of truth for all of our workable items - SQlite database … proper
scripts (we recommend Go programs) … reduce a chance for sync to be
broken … generate always all docs from DB or to re-generate Db from all
docs we have in opposite direction”</em></p>
</blockquote>
<p>The text-based Issues/Fixed/Summary/CONTINUATION constellation is
converted to a SQLite-DB-backed single source of truth. Schema mandatory
tables: <code>items</code> (atm_id PK + Type + Status incl. Obsolete +
Severity + title + description ≥40 chars + created/modified +
composes_with JSON + current_location); <code>item_history</code>
(append-only audit per §11.4.34 By/Reason/Evidence);
<code>obsolete_details</code> (§11.4.90);
<code>operator_block_details</code> (§11.4.21);
<code>firebase_metadata</code> (§11.4.47); <code>meta</code> (schema
version + last sync + integrity hash). A Go binary at
<code>cmd/workable-items/</code> provides <code>sync md-to-db</code> /
<code>db-to-md</code> / <code>diff</code> / <code>validate</code> /
<code>add</code> / <code>close</code>; bidirectional regen is
byte-identical round-trip (closed-set whitespace/section-order
tolerance). <code>commit_all.sh</code> refuses on non-empty diff;
<code>sync_issues_docs.sh</code> invokes the Go binary; pre-build runs
<code>workable-items validate</code>. Anti-bluff: unit + integration +
stress (1000-row insert + 10 concurrent writers) + chaos (mid-write
SIGKILL + corrupt-DB recovery + disk-full) + paired §1.1 mutation +
HelixQA Challenge <code>CME-WORKABLE-ITEMS-001</code>. The Go binary
lives in the constitution submodule
(<code>constitution/scripts/workable-items/</code>) per §11.4.74. Gates
<code>CM-COVENANT-114-93-PROPAGATION</code> +
<code>CM-WORKABLE-ITEMS-DB-PRESENT</code> +
<code>CM-WORKABLE-ITEMS-MD-DB-IN-SYNC</code> + paired §1.1 mutations.
(NOTE: the DB tracking rule is AMENDED by §11.4.95 — DB is TRACKED, not
gitignored.)</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.93</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-93-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker — text-based-only trackers are a
§11.4 PASS-bluff at the data-architecture layer. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.93 for the full mandate.</p>
<hr />
<h2
id="zero-idle-priority-first-parallel-by-default-operating-mode-cascaded-from-constitution-submodule-11.4.94">§11.4.94
— Zero-Idle Priority-First Parallel-By-Default Operating Mode (cascaded
from constitution submodule §11.4.94)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“We MUST NEVER sit iddle /
wait or sleep if there is possibility for us to work on something …
Always check if there is a possibility to work on something while we are
not working actively on something! Pick always by priority - most
critical workable items and other tasks MUST BE done first! … Stay still
/ iddle if nothing is left to be done at all or waiting for something
that is blocking us / you!!!”</em></p>
</blockquote>
<p>§11.4.94 binds §11.4.20 + §11.4.42 + §11.4.58 + §11.4.70 + §11.4.72 +
§11.4.82 + §11.4.87 + §11.4.88 + §11.4.89 into a single always-on
enforcement: (A) idle ONLY when every queued item is genuinely blocked
on an external dependency (hardware / network upstream / build/test
completion the conductor cannot accelerate) OR operator STOP OR §12
host-safety — “don’t see what to do” is NEVER valid; (B) before ANY
wake/sleep the conductor MUST survey parallel-work feasibility per
§11.4.42 + §11.4.72 + §11.4.87, identify non-contending items, and
dispatch in parallel per §11.4.20/§11.4.70 (subagent) + §11.4.58 (PWU
disjoint scope) + §11.4.89 (background long tests); (C) priority order
MANDATORY — pick highest-severity + §11.4.72 audio-first the conductor
can autonomously progress; (D) subagent-driven default for non-trivial;
(E) background default for &gt;30 s wall-clock work via
<code>nohup</code>+<code>disown</code>; (F) stability-preserving
(composes with §11.4.92 multi-pass + §11.4.84 quiescence + §12.6–§12.9
host safety); (G) progress updates surfaced at milestone boundaries.
Gates <code>CM-COVENANT-114-94-PROPAGATION</code> +
<code>CM-PARALLEL-WORK-AUDIT</code> + paired §1.1 mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.94</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-94-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.94 for the full mandate.</p>
<hr />
<h2
id="workable-items-sqlite-db-is-tracked-in-git-never-gitignored-cascaded-from-constitution-submodule-11.4.95">§11.4.95
— Workable-Items SQLite DB Is TRACKED in Git, NEVER Gitignored (cascaded
from constitution submodule §11.4.95)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“We shall not Git ignore our
workable items SQlite DB since it is our single source of truth …
workable items SQlite DB regularly commited and pushed to all
upstreams!”</em></p>
</blockquote>
<p>§11.4.93’s earlier “gitignored per §11.4.30” clause is AMENDED — the
DB at <code>docs/workable_items.db</code> is TRACKED in git, NEVER
gitignored. It IS authoritative source data, NOT a build artefact. Every
<code>workable-items sync md-to-db</code> that mutates state MUST stage
+ commit + push the DB alongside the MD regen per §11.4.19 atomic-move +
§2.1 multi-upstream push. A WAL-checkpoint
(<code>PRAGMA wal_checkpoint(TRUNCATE)</code>) is required before
commit-stage so the transient <code>.db-wal</code> +
<code>.db-shm</code> sidecars (gitignored per §11.4.30) are safely
discardable. The §11.4.77 regeneration mechanism does NOT apply — the DB
IS the source. Destructive DB ops require §9.2 hardlinked-backup +
operator authorization; §11.4.41 force-push merge-first applies if DB
history ever needs rewrite. Gates
<code>CM-COVENANT-114-95-PROPAGATION</code> +
<code>CM-WORKABLE-ITEMS-DB-TRACKED</code> + paired §1.1 mutation.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.95</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-95-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.95 for the full mandate.</p>
<hr />
<h2
id="safe-parallel-work-with-long-build-catalogue-mandate-cascaded-from-constitution-submodule-11.4.96">§11.4.96
— Safe-Parallel-Work-With-Long-Build Catalogue + Mandate (cascaded from
constitution submodule §11.4.96)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“Are there except AOSP build
process any other active jobs being done at the moment? Can we work on
something in parallel while build is in progress so we slowly cleanup
our slate? … do as much as possible work in background in parallel with
main work stream and oreferrably using subagents-driven
approach!”</em></p>
</blockquote>
<p>An operational catalogue for the canonical long-running workload
(multi-hour containerised build per §12.9). <strong>SAFE during
build:</strong> (A) MD/docs work; (B) generator/helper script work under
<code>scripts/</code>; (C) pre-build + meta-test gate authoring + paired
§1.1 mutations; (D) on-device test scripts; (E) constitution submodule
edits + push; (F) any submodule commit + push per §11.4.88; (G)
read-only live-ADB probes
(<code>dumpsys</code>/<code>getprop</code>/<code>cat /proc/...</code>/<code>screencap</code>/<code>logcat</code>);
(H) subagent dispatch per §11.4.20/§11.4.70 + §11.4.84 quiescence; (I)
web research + external API queries with §11.4.10 credentials; (J)
workable-items DB ops per §11.4.93+§11.4.95; (K) backgrounded pre-build
+ meta-test execution per §11.4.89. <strong>UNSAFE during
build:</strong> (α)
<code>git checkout</code>/<code>reset --hard</code>/<code>clean -df</code>
on the source tree (use <code>git worktree</code>); (β) mass file
deletes/renames under built source trees; (γ) submodule pointer updates
affecting built artefacts; (δ) <code>out/</code> mutations; (ε)
<code>make clean</code>/<code>m clobber</code>/<code>rm -rf out/</code>;
(ζ) container destruction; (η) disk-filling breaching §12.9 free-space
minimum; (θ) §12 host-session-safety breaches. Conductor responsibility:
before EVERY pause point during a long build, consult the catalogue,
identify (A)-(K) queue items per §11.4.42+§11.4.72, and dispatch ≥1 per
§11.4.20/§11.4.70 subagent default + §11.4.89 background. “Build
running, nothing else to do” is NEVER true per §11.4.94+§11.4.96. Gates
<code>CM-COVENANT-114-96-PROPAGATION</code> +
<code>CM-PARALLEL-WORK-DURING-BUILD-AUDIT</code> + paired §1.1
mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.96</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-96-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.96 for the full mandate.</p>
<hr />
<h2
id="maximum-use-of-idle-time-progress-update-cadence-cascaded-from-constitution-submodule-11.4.97">§11.4.97
— Maximum-Use-of-Idle-Time + Progress-Update Cadence (cascaded from
constitution submodule §11.4.97)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-27): <em>“keep it working, we should
do as much as possible, if not it all but as much as we can as long as
there is iddle time! it MUST be used! … keep us updated about all
progress and all phisycal proofs and gathered data as you progress
through all open workable items!”</em></p>
</blockquote>
<p>Operating-mode capstone strengthening §11.4.87 + §11.4.94 + §11.4.96:
(A) every minute of conductor idle time during which work could
autonomously progress AND is not genuinely blocked = a §11.4.97
violation; “as much as possible, if not it all but as much as we can” is
operative — dispatch CONTINUOUSLY through the entire idle window, not
just at scheduled wakes; (B) progress-update cadence — emit an
operator-facing 1-line update at every commit landed / subagent return /
constitutional anchor / captured evidence / milestone closure, no
operator prompt required; (C) continuous physical-proof gathering per
§11.4.5 + §11.4.6 + §11.4.69 — every autonomous closure cites
captured-evidence (evidence path goes into the §11.4.93
<code>item_history.evidence_path</code> when the DB lands); (D) composes
with §11.4.5/6/13/20/27/42/50/52/69/70/72/83/85/87/88/89/94/96; (E) the
idle-only-when-blocked closed-set is unchanged from §11.4.94(A). Gates
<code>CM-COVENANT-114-97-PROPAGATION</code> +
<code>CM-IDLE-TIME-AUDIT</code> + paired §1.1 mutations.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.97</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-97-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.97 for the full mandate.</p>
<hr />
<h2
id="full-automation-anti-bluff-mandate-cascaded-from-constitution-submodule-11.4.98">§11.4.98
— Full-Automation Anti-Bluff Mandate (cascaded from constitution
submodule §11.4.98)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-28): <em>“Make sure we have full
automation testing of all scenarios with real bot, main group and users
without any manual intervention or contribution of real user! Everything
MUST BE fully automatic and autonomous! These tests MUST BE able to
rerun endless times when needed! … Make sure there is no false positives
in testing! Every test and its results MUST obtain real proofs of
everything working! No bluff is allowed!”</em></p>
</blockquote>
<p>Closes the manual-intervention gap (§11.4 / §11.4.2 / §11.4.5 /
§11.4.50 / §11.4.85 / §11.4.87 / §11.4.89 / §11.4.94 did not explicitly
forbid it). A live/integration/e2e/Challenge test that requires a human
action during execution (typing a message, clicking UI, hand-triggering
a webhook, attaching a file — anything beyond startup) is by definition
a §11.4 PASS-bluff at the automation layer. (A) Every governed test —
unit/integration/e2e/Challenge/stress/chaos/live — MUST be fully
self-driving end-to-end, reporting PASS/FAIL/SKIP-with-reason without
any further human action after startup. (B) Single permissible
exception: one-time credential bootstrap performed OUTSIDE test
execution (<code>.env</code> from vault, shell exports, OAuth at first
install, MTProto session activation) — configuration, not test driving.
(C) Live messenger/channel/agent tests: no “operator must type” prompts
(drive programmatically via second account / webhook fixture /
loopback); no hard-coded session UUIDs that collide with the active dev
session (Herald 2026-05-28 <code>claude --resume</code> silent exit -1
lesson); no 60 s human-response windows (§11.4.50 determinism
violation); re-runnability proof — PASS at <code>-count=3</code>
consecutive automated invocations with self-cleaning state; §11.4.98
obsolescence audit classifies every existing test COMPLIANT vs
NON-COMPLIANT; no silent-skip-reported-as-PASS or
stale-evidence-as-fresh. (D) With §11.4.85 + §11.4.89 + §11.4.87 +
§11.4.94 forms a continuously-validated, non-flake, anti-bluff regime.
(F) Manual-dependency tests not rewritten within 30 days graduate to
§11.4.90 Obsolete citing §11.4.98.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.98</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-98-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.98 for the full mandate.</p>
<hr />
<h2
id="latest-source-documentation-cross-reference-mandate-cascaded-from-constitution-submodule-11.4.99">§11.4.99
— Latest-Source Documentation Cross-Reference Mandate (cascaded from
constitution submodule §11.4.99)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-28): <em>“Make sure we ALWAYS check
against latest versions of services we use web / online docs before
creating instructions! This situation is illustration of how we can
misguide ourselves or get banned! … These are mandatory rules /
constraints and the result is consistency and safety of created
instructions, guides and manuals!”</em></p>
</blockquote>
<p>Misguidance-by-stale-docs is the same severity class as a §11.4
PASS-bluff at the documentation layer (Herald 2026-05-28 case: a
first-draft MTProto guide recommended VoIP fallback numbers and omitted
the <code>recover@telegram.org</code> pre-login email — both
contradicted Telegram’s official docs + the gotd/td maintainer guide and
could have caused a permanent account ban). Closes the gap §11.4.92 Pass
4 alludes to but does not mandate. (A) Before committing any
operator-facing instruction/guide/manual/troubleshooting/setup doc, the
author MUST: (1) fetch the LATEST official online documentation of the
documented service/library via WebFetch / MCP / direct browsing — NEVER
training data, memory, or prior committed docs; (2) cross-reference
every instruction step against that source; (3) seek secondary
authoritative sources (maintainer SUPPORT.md, official changelogs,
vetted community FAQs) when the official source is sparse/silent; (4)
cite source URLs + date in a <code>## Sources verified</code> footer in
the doc; (5) cite a
<code>Sources verified &lt;date&gt;: &lt;urls&gt;</code> footer in the
commit message. (B) Negative findings (gaps/silences/contradictions)
MUST be documented explicitly. (C) Docs older than 6 months are STALE —
re-verify before citing as operator authority, at every vN.0.0 release
boundary, on service breaking-change announcements, or on operator error
reports. (D) Risk-classified services (messengers, cloud APIs, payment
systems, AI/LLM providers, code-hosting, package managers) carry a
90-day max staleness + explicit safety warnings. (E) Composes with but
is INDEPENDENT of §11.4.92 Pass 4. (G) Commit missing either footer is
BLOCKED at release-gate; stale-beyond-grace docs graduate to §11.4.90
Obsolete (<code>Reason=stale-documentation</code>).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.99</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-99-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.99 for the full mandate.</p>
<hr />
<h2
id="autonomous-decision-over-blocking-mandate-cascaded-from-constitution-submodule-11.4.101">§11.4.101
— Autonomous-Decision-Over-Blocking Mandate (cascaded from constitution
submodule §11.4.101)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-28): <em>“when working in endless
working loop fully autonomously try to decide most properly about points
which would block execution and wait for us. If we haven’t answered now
work would be blocked whole night! If possible and if that will not
cause any issues make proper and most reliable and safe decision so we
achieve maximal efficiency and work gets fully done!”</em></p>
</blockquote>
<p>In autonomous / endless-loop mode (per §11.4.87), the agent MUST
minimize operator-blocking and make the safe, reliable, reversible
decision itself so work is not stalled (e.g. overnight) waiting for
input — §11.4.87 says keep working, §11.4.101 says HOW to clear the
decision points. <strong>Proceed-autonomously (closed-set, ALL must
hold):</strong> (a) the action is reversible OR has a captured pre-op
backup per §9.2; (b) the safe choice is determinable from captured
evidence per §11.4.6 (no guessing —
<code>LIKELY</code>/<code>probably</code>/<code>seems</code> is NOT a
determination); (c) a wrong choice’s blast radius is bounded AND
recoverable; (d) it composes with anti-bluff §11.4, host-safety §12,
data-safety §9. <strong>Block-only-when (BLOCK via the §11.4.66
interactive mechanism ONLY when ALL hold):</strong> the action is
irreversible AND high-blast-radius AND the safe choice cannot be
determined from evidence — e.g. external-account state the agent cannot
inspect, hardware it cannot access, destructive ops without backup,
force-push (also §9.2 + §11.4.41), spending money or sending data to
third parties. <code>Operator-blocked</code> per §11.4.21 is reached
only after this rule fires AND the self-resolution-exhaustion audit
completes. An unavoidable block parks one work unit — it does NOT pause
the loop; the agent keeps progressing every non-blocked item in parallel
per §11.4.87 + §11.4.94 (posing the question then going idle is a
§11.4.94 + §11.4.97 violation). Classification: universal
(§11.4.17).</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.101</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-101-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.101 for the full mandate.</p>
<hr />
<h2
id="mandatory-systematic-debugging-activation-always-loaded-skill-discovery-plugin-dependency-availability-cascaded-from-constitution-submodule-11.4.102">§11.4.102
— Mandatory systematic-debugging activation + always-loaded
skill-discovery + plugin-dependency availability (cascaded from
constitution submodule §11.4.102)</h2>
<blockquote>
<p>Verbatim user mandate (2026-05-29): *“Make sure that we ALWAYS
trigger / start the”/superpowers:systematic-debugging” skills when any
issues happen! If this is possible to activate and use in this
situations out of the box when we spot problems / issues / bugs /
misalignments / unconsistencies we MUST activate the skill(s) and make
strongest efforts in full in depth analisys / debugging and determine
root causes of all problem or obtain relevant data and information we
need! … we MUST make sure that “/using-superpowers” skill is ALWAYS
loaded, applied and used! All dependencies (plugins) that Claude Code or
other market places are offering MUST BE installed if these are not
already available for loading and use!”</p>
</blockquote>
<p>Three cooperating invariants — the difference between guess-and-retry
and investigate-to-root-cause-first. <strong>(A) Mandatory
systematic-debugging activation.</strong> On ANY spotted issue / bug /
test failure / gate failure / regression / misalignment / inconsistency
/ unexpected behaviour, the agent MUST activate
<code>superpowers:systematic-debugging</code> (or the
platform-equivalent structured-debugging discipline) <strong>BEFORE
proposing, writing, or applying any fix</strong> — the <strong>Iron Law:
NO FIXES WITHOUT ROOT CAUSE INVESTIGATION FIRST.</strong> Full
four-phase arc: root-cause → pattern → hypothesis → implementation.
Guess-and-retry, symptom-patching, and re-running a failed test hoping
it passes (“probably transient / flaky”) WITHOUT a completed
investigation are §11.4.102 violations; calling a failure
<code>transient</code>/<code>flaky</code>/<code>intermittent</code>/<code>probably-timing</code>
without captured forensic evidence is simultaneously a §11.4.6 and
§11.4.7 violation. <strong>(B) Mandatory always-loaded
<code>using-superpowers</code>.</strong>
<code>superpowers:using-superpowers</code> (or platform-equivalent
skill-discovery discipline) MUST be loaded and applied at session start
and consulted before any task; if ANY skill could apply — even at 1%
relevance — it MUST be invoked rather than improvised from memory.
<strong>(C) Mandatory plugin / dependency availability.</strong> Every
skill plugin / marketplace package / capability dependency the project
relies on MUST be installed + loadable BEFORE the dependent work
proceeds; a missing plugin that blocks a mandated skill is a
release-blocker until installed + confirmed loadable (install exit 0 ≠
skill loadable — confirm by observing the skill in the live capability
list). Composes with §11.4.4 / §11.4.6 / §11.4.7 / §11.4.8 / §11.4.43 /
§11.4.70 / §11.4.82(A) / §11.4.92. Classification: universal (§11.4.17).
No escape hatch — no <code>--skip-systematic-debugging</code>,
<code>--guess-and-retry-OK</code>,
<code>--symptom-patch-permitted</code>,
<code>--skip-skill-discovery</code>, <code>--plugin-optional</code>,
<code>--missing-plugin-is-warning</code> flag.</p>
<p><strong>Cascade requirement:</strong> This anchor (verbatim or by
<code>§11.4.102</code> reference) MUST appear in every owned submodule’s
<code>CONSTITUTION.md</code>, <code>CLAUDE.md</code>, and
<code>AGENTS.md</code>. Propagation gate
<code>CM-COVENANT-114-102-PROPAGATION</code>; paired mutation strips the
literal → gate FAILs. Release blocker. <strong>Canonical
authority:</strong> constitution submodule <code>Constitution.md</code>
§11.4.102 for the full mandate.</p>
<hr />
<h2
id="continuous-parallel-stream-working-routine-cascaded-from-constitution-submodule-11.4.103">§11.4.103
— Continuous parallel-stream working routine (cascaded from constitution
submodule §11.4.103)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.103 for the full mandate. The main
work stream MUST always stay FREE. ALL commit AND push operations run
detached. At least three parallel background subagent-driven streams
MUST run alongside the main stream whenever three or more non-contending
actionable items exist; the moment any one stream finishes a new stream
MUST immediately start. Most-critical and most-visible first; audio
always top per §11.4.72. Propagation gate
<code>CM-COVENANT-114-103-PROPAGATION</code> (literal
<code>11.4.103</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.103.</p>
<hr />
<h2
id="participant-identity-attribution-and-notification-tagging-cascaded-from-constitution-submodule-11.4.104">§11.4.104
— Participant identity, attribution and notification-tagging (cascaded
from constitution submodule §11.4.104)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.104 for the full mandate. Every
messenger MUST relate messages to a Participant (logical
Subscriber/User); the same logical person may have a different username
per messenger. Workable items MUST carry <code>created_by</code> and
<code>assigned_to</code> (canonical handles). Notifications MUST @-tag
the right participant — never the operator and never the system agent.
Propagation gate <code>CM-COVENANT-114-104-PROPAGATION</code> (literal
<code>11.4.104</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.104.</p>
<hr />
<h2
id="natural-language-intent-recognition-and-clarification-cascaded-from-constitution-submodule-11.4.105">§11.4.105
— Natural-language intent recognition and clarification (cascaded from
constitution submodule §11.4.105)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.105 for the full mandate. Users MUST
NOT need to know command syntax. The System determines intent via
three-tier resolution: recognise existing commands, infer exact intent,
or reply-tag-and-ask with a precise clarifying question. Never guess,
never drop a message silently. Propagation gate
<code>CM-COVENANT-114-105-PROPAGATION</code> (literal
<code>11.4.105</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.105.</p>
<hr />
<h2
id="docs-chain-mechanical-documentationdb-sync-engine-cascaded-from-constitution-submodule-11.4.106">§11.4.106
— Docs Chain — mechanical documentation/DB sync engine (cascaded from
constitution submodule §11.4.106)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.106 for the full mandate. Docs Chain
(<code>vasic-digital/docs_chain</code>) is the canonical mechanical
enforcer of documentation-sync mandates. Consumers MUST use the engine
instead of ad-hoc sync scripts, register chains via per-context YAML,
and never accept a faked transform. Propagation gate
<code>CM-COVENANT-114-106-PROPAGATION</code> (literal
<code>11.4.106</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.106.</p>
<hr />
<h2
id="anti-bluff-avtest-validation-techniques-mandate-cascaded-from-constitution-submodule-11.4.107">§11.4.107
— Anti-bluff AV/test-validation techniques mandate (cascaded from
constitution submodule §11.4.107)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.107 for the full mandate. A single
captured frame is NOT proof of playback. Every test asserting
audio/video output MUST prove liveness via freeze-detection oracle AND
an independent frame-advance counter from platform telemetry.
No-stale-from-previous cross-check, measured FPS,
no-flash-on-wrong-output, drive through realistic UI path, metamorphic
relations, full-reference quality metrics, mutation-test every analyzer,
per-channel audio RMS/loudness, calibrated thresholds. Propagation gate
<code>CM-COVENANT-114-107-PROPAGATION</code> (literal
<code>11.4.107</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.107.</p>
<hr />
<h2
id="four-layer-fix-verification-runtime-signature-as-definition-of-done-mandate-cascaded-from-constitution-submodule-11.4.108">§11.4.108
— Four-layer fix-verification + runtime-signature-as-definition-of-done
mandate (cascaded from constitution submodule §11.4.108)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.108 for the full mandate. A fix
crosses four distinct layers: SOURCE, ARTIFACT, RUNTIME-ON-CLEAN-TARGET,
USER-VISIBLE. Green at layer 1 says nothing about layers 2–4. Every fix
declares one machine-checkable runtime signature verified on a clean
deployment. Gates span all four layers. Deployment MUST yield a clean
state. Three or more “fixed-but-not-working” discoveries signal an
architectural verification flaw — stop patching symptoms, fix the
verification pipeline. Propagation gate
<code>CM-COVENANT-114-108-PROPAGATION</code> (literal
<code>11.4.108</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.108.</p>
<hr />
<h2
id="mandatory-anti-forgetting-enforcement-pretooluse-guard-hook-subagent-constitutional-preamble-orchestrator-pre-action-checklist-cascaded-from-constitution-submodule-11.4.109">§11.4.109
— Mandatory Anti-Forgetting Enforcement: PreToolUse Guard Hook +
Subagent Constitutional Preamble + Orchestrator Pre-Action Checklist
(cascaded from constitution submodule §11.4.109)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.109 for the full mandate. Every
consumer MUST wire
<code>constitution/scripts/hooks/guard-forbidden-commands.sh</code> as a
<code>PreToolUse</code> hook, maintain
<code>docs/AGENT_GUARDRAILS.md</code> with the subagent constitutional
preamble and orchestrator pre-action checklist, and provide a hermetic
hook test suite. The hook is inherited by reference, never copied.
Propagation gate <code>CM-COVENANT-114-109-PROPAGATION</code> (literal
<code>11.4.109</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.109.</p>
<hr />
<h2
id="pre-build-build-readiness-verdict-change-impact-clash-detection-mandate-cascaded-from-constitution-submodule-11.4.110">§11.4.110
— Pre-build build-readiness verdict + change-impact clash detection
mandate (cascaded from constitution submodule §11.4.110)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.110 for the full mandate. A single
deterministic READY-FOR-BUILD verdict gates every rebuild. A diff-driven
change-impact and clash detector cross-checks every newly-introduced
second-artifact dependency. Coverage-completeness is a gate. Two-speed
honesty separates grep-speed always-on gates from heavy REQUIRES_BUILD
gates. Every gate is anti-bluff by paired §1.1 mutation. Propagation
gate <code>CM-COVENANT-114-110-PROPAGATION</code> (literal
<code>11.4.110</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.110.</p>
<hr />
<h2
id="resolve-by-stable-name-not-by-enumeration-index-mandate-cascaded-from-constitution-submodule-11.4.111">§11.4.111
— Resolve-by-stable-name-not-by-enumeration-index mandate (cascaded from
constitution submodule §11.4.111)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.111 for the full mandate. Any binding
to a hardware device / resource handle / enumerated entity MUST resolve
by a stable identifier (name / UUID / serial / label) and MUST NOT bind
by enumeration index / ordinal / slot unless the platform documents that
ordinal as deterministically pinned and the pin is captured + asserted.
Propagation gate <code>CM-COVENANT-114-111-PROPAGATION</code> (literal
<code>11.4.111</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.111.</p>
<hr />
<h2
id="structural-impossibility-wont-fix-classification-mandate-cascaded-from-constitution-submodule-11.4.112">§11.4.112
— Structural-impossibility won’t-fix classification mandate (cascaded
from constitution submodule §11.4.112)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.112 for the full mandate. When deep
research proves a goal is structurally impossible on the target platform
(forbidden by platform design / hardware-protocol constraint /
documented kernel-or-API limitation), the goal MUST be classified
<code>Won't-fix</code>, documented with impossibility evidence, and NOT
re-attempted without new evidence the platform constraint changed.
Propagation gate <code>CM-COVENANT-114-112-PROPAGATION</code> (literal
<code>11.4.112</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.112.</p>
<hr />
<h2
id="absolute-no-force-push-merge-onto-latest-main-mandate-cascaded-from-constitution-submodule-11.4.113">§11.4.113
— Absolute no-force-push + merge-onto-latest-main mandate (cascaded from
constitution submodule §11.4.113)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.113 for the full mandate. Force-push
is STRICTLY FORBIDDEN with NO exception. Every push MUST follow the
6-step integration procedure: fetch all remotes, set base to latest
main/master, carefully merge all changes on top, resolve every conflict,
commit, push to ALL upstreams as a fast-forward. The force-push escape
hatch from §11.4.41/§11.4.71 is REMOVED. Propagation gate
<code>CM-COVENANT-114-113-PROPAGATION</code> (literal
<code>11.4.113</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.113.</p>
<hr />
<h2
id="last-known-good-tag-regression-isolation-mandate-cascaded-from-constitution-submodule-11.4.114">§11.4.114
— Last-known-good-tag regression isolation mandate (cascaded from
constitution submodule §11.4.114)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.114 for the full mandate. When a
previously-working feature is observed broken, the FIRST diagnostic
action MUST be to identify the last release tag at which it was
known-good and diff/bisect against it before any open-ended root-cause
hunt or speculative fix. Default to surgical forward-fix over wholesale
revert unless the operator prefers otherwise. Propagation gate
<code>CM-COVENANT-114-114-PROPAGATION</code> (literal
<code>11.4.114</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.114.</p>
<hr />
<h2
id="red-baseline-on-the-broken-artifact-polarity-switch-mandate-cascaded-from-constitution-submodule-11.4.115">§11.4.115
— RED-baseline-on-the-broken-artifact + polarity-switch mandate
(cascaded from constitution submodule §11.4.115)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.115 for the full mandate. Every RED
test MUST be authored to reproduce the defect on the CURRENT pre-fix
artifact. The same test source MUST carry a polarity switch
(<code>RED_MODE</code>, default 1 = reproduce-and-assert-defect-present;
0 = standing GREEN regression-guard). RED-on-broken-artifact then
GREEN-on-fixed-artifact on a clean target MUST both be captured.
Propagation gate <code>CM-COVENANT-114-115-PROPAGATION</code> (literal
<code>11.4.115</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.115.</p>
<hr />
<h2
id="real-time-conductorautonomous-test-framework-sync-channel-mandate-cascaded-from-constitution-submodule-11.4.116">§11.4.116
— Real-time conductor↔︎autonomous-test-framework sync channel mandate
(cascaded from constitution submodule §11.4.116)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.116 for the full mandate. Any
autonomous long-running test/QA/validation framework MUST expose a
structured append-only event stream and an atomically-rewritten status
snapshot. Every verdict event MUST carry the evidence path that backs
it. A PASS event with no evidence path is a channel-layer PASS-bluff.
Propagation gate <code>CM-COVENANT-114-116-PROPAGATION</code> (literal
<code>11.4.116</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.116.</p>
<hr />
<h2
id="computer-vision-ocr-pixel-oracle-fallback-for-non-introspectable-uis-mandate-cascaded-from-constitution-submodule-11.4.117">§11.4.117
— Computer-vision / OCR pixel-oracle fallback for non-introspectable UIs
mandate (cascaded from constitution submodule §11.4.117)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.117 for the full mandate. Any test
that needs to drive a UI control OR assert on-screen content MUST NOT
assume the accessibility/semantic/DOM hierarchy is the source of truth.
When the hierarchy is blank/partial/known-unreliable, the test MUST fall
back to a pixel oracle: drive input by computer-vision template-match;
assert content by ROI OCR with a per-word confidence floor. The CV/OCR
analyzer MUST be self-validated with golden-good/golden-bad fixtures.
Propagation gate <code>CM-COVENANT-114-117-PROPAGATION</code> (literal
<code>11.4.117</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.117.</p>
<hr />
<h2
id="discovery-pressure-to-confirm-known-issue-set-completeness-mandate-cascaded-from-constitution-submodule-11.4.118">§11.4.118
— Discovery-pressure to confirm known-issue-set completeness mandate
(cascaded from constitution submodule §11.4.118)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.118 for the full mandate. A
remediation/release cycle MUST NOT treat “every reported defect is
fixed” as “the build is good.” After/alongside fixing the reported set,
the cycle MUST run a discovery + stress pass across ALL target
devices/environments, producing an enumerated list of
subsystems/user-journeys/stress scenarios actually exercised with
outcomes. “We found no other issues” without a coverage enumeration is a
§11.4 bluff. Propagation gate
<code>CM-COVENANT-114-118-PROPAGATION</code> (literal
<code>11.4.118</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.118.</p>
<hr />
<h2
id="single-resource-owner-partitioning-for-parallel-hardware-testing-mandate-cascaded-from-constitution-submodule-11.4.119">§11.4.119
— Single-resource-owner partitioning for parallel hardware testing
mandate (cascaded from constitution submodule §11.4.119)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.119 for the full mandate. When
multiple parallel streams exercise shared hardware or any
exclusive-access resource, exactly ONE stream MUST own each such
resource at a time. Every other concurrent stream targeting the same
resource MUST be READ-ONLY. Parallelism is partitioned by resource;
distinct devices/sinks/handles run fully concurrent. Ownership MUST be
enforced by an advisory lock/token. Propagation gate
<code>CM-COVENANT-114-119-PROPAGATION</code> (literal
<code>11.4.119</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.119.</p>
<hr />
<h2
id="fix-breaks-its-own-gate-reconciliation-mandate-cascaded-from-constitution-submodule-11.4.120">§11.4.120
— Fix-breaks-its-own-gate reconciliation mandate (cascaded from
constitution submodule §11.4.120)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.120 for the full mandate. When a
correct fix causes a pre-existing gate/test to FAIL because it asserted
old behaviour, the gate MUST be reconciled (rewritten to assert the new
mechanism + paired §1.1 mutation updated) — never fake-passed, weakened
to a tautology, or deleted; and the correct fix MUST NOT be reverted to
satisfy the stale gate. Propagation gate
<code>CM-COVENANT-114-120-PROPAGATION</code> (literal
<code>11.4.120</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.120.</p>
<hr />
<h2
id="no-commit-while-build-writes-tracked-artifacts-mandate-cascaded-from-constitution-submodule-11.4.121">§11.4.121
— No-commit-while-build-writes-tracked-artifacts mandate (cascaded from
constitution submodule §11.4.121)</h2>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.121 for the full mandate. A commit
MUST NOT run while a build/packaging/generation step is actively writing
artifacts into tracked (version-controlled) directories. The commit MUST
be deferred until the writing step completes so the tree is quiescent
and committed artifacts are the fresh, whole outputs. Propagation gate
<code>CM-COVENANT-114-121-PROPAGATION</code> (literal
<code>11.4.121</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.121.</p>
<hr />
<h3
id="no-silent-removal-of-existing-components-without-operator-confirmation-mandate-cascaded-from-constitution-submodule-11.4.122">§11.4.122
— No-silent-removal-of-existing-components-without-operator-confirmation
mandate (cascaded from constitution submodule §11.4.122)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.122 for the full mandate. No
application, system component, service, package, feature, driver,
module, library, or prebuilt asset — any already-existing end-user
capability — may be removed WITHOUT FIRST interactively asking the
operator and receiving an EXPLICIT keep-or-remove decision. A silent
removal is a release blocker regardless of rationale. Propagation gate
<code>CM-COVENANT-114-122-PROPAGATION</code> (literal
<code>11.4.122</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.122.</p>
<hr />
<h3
id="rock-solid-proof-or-deep-research-mandate-cascaded-from-constitution-submodule-11.4.123">§11.4.123
— Rock-solid-proof-or-deep-research mandate (cascaded from constitution
submodule §11.4.123)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.123 for the full mandate. Every
reported issue, fix, and claimed completion MUST be fully validated with
rock-solid captured proof before closure. When the validation method is
unclear, deep web research MUST be performed to discover or build an
evidence-producing method. Declaring something untestable without
exhausting the research path is a §11.4.123 violation. Propagation gate
<code>CM-COVENANT-114-123-PROPAGATION</code> (literal
<code>11.4.123</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.123.</p>
<hr />
<h3
id="deadunwired-code-investigate-before-remove-mandate-cascaded-from-constitution-submodule-11.4.124">§11.4.124
— Dead/unwired-code investigate-before-remove mandate (cascaded from
constitution submodule §11.4.124)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.124 for the full mandate. Before
removing any seemingly-dead (zero-importer / unwired) codebase,
investigate via git history where/how it was originally used and how it
became dead. Removal is permitted ONLY with captured proof it is
genuinely no longer needed — in its own separate commit. If no such
proof exists, investigate where/how to wire it in properly and add
missing tests. Propagation gate
<code>CM-COVENANT-114-124-PROPAGATION</code> (literal
<code>11.4.124</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.124.</p>
<hr />
<h3
id="code-review-agent-gate-before-pre-build-main-build-cascaded-from-constitution-submodule-11.4.125">§11.4.125
— Code-review-agent gate before pre-build + main build (cascaded from
constitution submodule §11.4.125)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.125 for the full mandate. After all
fixes/changes/implementations in a batch are done, and BEFORE running
pre-build tests and the main build, the agent MUST dispatch dedicated
code-review agent(s) performing a multi-layer review. Any finding MUST
be fixed, polished, improved, and covered with additional tests before
the build proceeds. The review iterates until no blocking findings
remain. Propagation gate <code>CM-COVENANT-114-125-PROPAGATION</code>
(literal <code>11.4.125</code>). Non-compliance is a release
blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.125.</p>
<hr />
<h3
id="default-autonomous-loop-working-mode-from-first-prompt-cascaded-from-constitution-submodule-11.4.126">§11.4.126
— Default autonomous-loop working mode from first prompt (cascaded from
constitution submodule §11.4.126)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.126 for the full mandate. The endless
fully-autonomous loop is the DEFAULT working mode, engaged automatically
the moment the operator sends the FIRST request/prompt of a session. The
loop continues until a new fully-validated-and-verified version tag is
created and published across all owned submodules and the main repo, OR
the main-stream goal is fully completed with the queue empty. Stops only
on explicit operator STOP, empty queue, or §12 host-safety. Mimicking
this behavior or producing false results is absolutely forbidden.
Propagation gate <code>CM-COVENANT-114-126-PROPAGATION</code> (literal
<code>11.4.126</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.126.</p>
<hr />
<h3
id="session-handoff-resumption-prompt-mandate-cascaded-from-constitution-submodule-11.4.127">§11.4.127
— Session-handoff resumption-prompt mandate (cascaded from constitution
submodule §11.4.127)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.127 for the full mandate. When a
fresh session is needed, the agent MUST ALWAYS prepare and proactively
provide a ready-to-paste resumption prompt valid for that exact moment
and project phase — self-contained enough that pasting it into a fresh
session resumes work with zero loss. Both SHORT and FULL variants. A
missing, stale, or generic prompt is a §11.4.127 violation. Propagation
gate <code>CM-COVENANT-114-127-PROPAGATION</code> (literal
<code>11.4.127</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.127.</p>
<hr />
<h3
id="always-on-device-recording-mandate-cascaded-from-constitution-submodule-11.4.128">§11.4.128
— Always-on device-recording mandate (cascaded from constitution
submodule §11.4.128)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.128 for the full mandate. For every
test/debug device and every device under known manual testing, across
every reachable transport, the project MUST ALWAYS live-record all
analysable data. Extra-careful, side-effect-free, non-invasive read-only
probes only. Background + parallel + subagent-driven. Raw data is
git-ignored and code-intelligence-excluded; only curated evidence is
committed at release prep. Propagation gate
<code>CM-COVENANT-114-128-PROPAGATION</code> (literal
<code>11.4.128</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.128.</p>
<hr />
<h3
id="huge-blocker-release-protocol-cascaded-from-constitution-submodule-11.4.129">§11.4.129
— Huge-blocker release protocol (cascaded from constitution submodule
§11.4.129)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.129 for the full mandate. On
discovery of a huge blocker during release validation: STOP all testing;
fix ALL discovered issues; process all recorded data; land rock-solid
fixes; author NEW validation+verification tests of ALL supported test
types; rebuild (full) + reflash to a CLEAN target; RESTART the full
validation+verification from the last release tag to now on all devices
in parallel, recorded, with real physical captured proofs. Propagation
gate <code>CM-COVENANT-114-129-PROPAGATION</code> (literal
<code>11.4.129</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.129.</p>
<hr />
<h3
id="post-remediation-validate-the-fix-first-after-redeploy-cascaded-from-constitution-submodule-11.4.130">§11.4.130
— Post-remediation validate-the-fix-FIRST-after-redeploy (cascaded from
constitution submodule §11.4.130)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.130 for the full mandate. When a
blocker is fixed and a new artifact produced + target reflashed, FIRST
re-test the specific last-failing features and validate the
just-incorporated fixes with real captured evidence — BEFORE
broader/full-suite validation. Only after the targeted fix is CONFIRMED
working proceed to the full retest. Propagation gate
<code>CM-COVENANT-114-130-PROPAGATION</code> (literal
<code>11.4.130</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.130.</p>
<hr />
<h3
id="standing-session-resumption-file-mandate-cascaded-from-constitution-submodule-11.4.131">§11.4.131
— Standing session-resumption file mandate (cascaded from constitution
submodule §11.4.131)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.131 for the full mandate. Every
project MUST maintain a SINGLE canonical, always-current
session-resumption file at a fixed project-declared standard path.
Creating a new session requires ONLY pointing the new agent at this one
file. The file MUST be rewritten whenever a fresh session is needed or
live state materially changes. A stale resumption file is a §11.4.131
violation. Propagation gate <code>CM-COVENANT-114-131-PROPAGATION</code>
(literal <code>11.4.131</code>). Non-compliance is a release
blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.131.</p>
<hr />
<h3
id="risk-ordered-validation-priority-mandate-cascaded-from-constitution-submodule-11.4.132">§11.4.132
— Risk-ordered validation priority mandate (cascaded from constitution
submodule §11.4.132)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.132 for the full mandate.
Tests/validations/verifications MUST run in RISK-DESCENDING order:
most-recently-worked first, then historically most-problematic, then
highest crash/break/regress likelihood, then most-reopened. The
highest-risk set MUST pass with real captured evidence before the
remainder of the suite runs. Running in arbitrary order is a §11.4.132
violation. Propagation gate <code>CM-COVENANT-114-132-PROPAGATION</code>
(literal <code>11.4.132</code>). Non-compliance is a release
blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.132.</p>
<hr />
<h3
id="target-system-hardware-safety-mandate-cascaded-from-constitution-submodule-11.4.133">§11.4.133
— Target-System + hardware safety mandate (cascaded from constitution
submodule §11.4.133)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.133 for the full mandate. Every
change to the target system MUST ALWAYS be safe for both the target
System itself (MUST NOT brick, boot-loop, corrupt data, or render the
device unrecoverable) AND the hardware it runs on (MUST NOT exceed safe
electrical/thermal/voltage/clock limits). Reversible-first; no
unverified hardware-control writes; thermal/perf changes respect cooling
design; flashing uses the sanctioned tool + integrity-verified image.
Propagation gate <code>CM-COVENANT-114-133-PROPAGATION</code> (literal
<code>11.4.133</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.133.</p>
<hr />
<h3
id="code-review-iterate-until-go-rock-solid-evidence-mandate-cascaded-from-constitution-submodule-11.4.134">§11.4.134
— Code-review iterate-until-GO + rock-solid-evidence mandate (cascaded
from constitution submodule §11.4.134)</h3>
<p>Cascade reference — see constitution submodule
<code>Constitution.md</code> §11.4.134 for the full mandate. When a code
review returns ANY finding, and the author fixes/improves the batch, the
code review MUST BE RE-RUN and MUST KEEP being re-run after each
remediation round, until it returns a clean GO with ZERO new issues AND
ZERO warnings of any kind. Every round’s verdict AND every fix’s
validation MUST carry rock-solid physical captured evidence. A reported
GO unbacked by captured physical evidence is a §11.4 PASS-bluff.
Propagation gate <code>CM-COVENANT-114-134-PROPAGATION</code> (literal
<code>11.4.134</code>). Non-compliance is a release blocker.</p>
<p><strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.134.</p>
<hr />
<p><strong>§11.4.135 — Standing regression-guard suite +
every-fixed-defect-gets-a-permanent-regression-test (cascaded from
constitution submodule §11.4.135).</strong> Every project MUST maintain
a standing regression-guard suite that runs on every build+deploy and
blocks the release tag on any failure. Every closed defect MUST, in the
SAME commit as its fix, register a permanent §11.4.115
RED-on-broken-artifact regression test into the suite. A closure without
a registered guard is a §11.4.123 violation. Propagation gate
<code>CM-COVENANT-114-135-PROPAGATION</code> (literal
<code>11.4.135</code>). Non-compliance is a release blocker.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.135.</p>
<p><strong>§11.4.136 — Real-content end-to-end playback-test mandate
(cascaded from constitution submodule §11.4.136).</strong> Any test
asserting media playback works MUST drive REAL content through the
user’s path and assert it genuinely plays via the §11.4.107 liveness
battery PLUS a decoder-health census.
Metadata-only/launch-only/registration-only/single-frame/config-only
PASS is forbidden. Propagation gate
<code>CM-COVENANT-114-136-PROPAGATION</code> (literal
<code>11.4.136</code>). Non-compliance is a release blocker.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.136.</p>
<p><strong>§11.4.137 — Subtitle/caption content-correctness oracle +
secure-display-proxy-honesty mandate (cascaded from constitution
submodule §11.4.137).</strong> A subtitle-correctness test MUST classify
the cue’s content class — a present cue is NOT a correct cue. CHROME
(FAIL) if a known control/menu label, time/numeric chrome, not prose,
outside the lower safe-title band, or static across the window. DIALOGUE
(PASS) only when prose + not-denied + not-chrome + position-ok + cadence
≥2 or fuzzy-matches the source-extracted cue. The oracle MUST be
self-validated with golden-good/golden-bad fixtures. Propagation gate
<code>CM-COVENANT-114-137-PROPAGATION</code> (literal
<code>11.4.137</code>). Non-compliance is a release blocker.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.137.</p>
<p><strong>§11.4.138 — Operator-escape =&gt; mandatory bluff-audit +
permanent guard (cascaded from constitution submodule
§11.4.138).</strong> When the operator finds a defect that the GREEN
test suite passed, this MUST trigger before the fix is closed: a
§11.4.102 systematic-debugging pass; a bluff-audit identifying the exact
assertion that should have caught it but didn’t; a permanent §11.4.135
regression guard registered in the SAME commit as the fix; the
bluff-audit committed under
<code>docs/research/&lt;scope&gt;/&lt;defect&gt;_bluff_audit/</code>.
Propagation gate <code>CM-COVENANT-114-138-PROPAGATION</code> (literal
<code>11.4.138</code>). Non-compliance is a release blocker.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.138.</p>
<p><strong>§11.4.139 — Fresh-process clean-artifact runtime-signature
mandate (cascaded from constitution submodule §11.4.139).</strong>
Before any post-deploy validation, the harness MUST assert
running-artifact == built-artifact: the deploy yielded a clean target OR
a pre-validation check proves no stale overlay shadows the deployed
code. A stale shadow makes the proxy report on code that was never
deployed — any PASS is a §11.4 PASS-bluff. Propagation gate
<code>CM-COVENANT-114-139-PROPAGATION</code> (literal
<code>11.4.139</code>). Non-compliance is a release blocker.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.139.</p>
<hr />
<h2
id="action-prefix-system-token-efficiency-cascaded-from-constitution-submodule-11.4.14011.4.141">§11.4.140
&amp; §11.4.141 — action-prefix system + token-efficiency (cascaded from
constitution submodule §11.4.140/§11.4.141)</h2>
<p>§11.4.140 — Universal action-prefix system
(<code>ACTION_NAME ::</code>): When a user prompt’s FIRST non-blank line
starts with a recognised action prefix, look it up in the action
registry (<code>constitution/actions/registry.yaml</code>), REPLACE the
prefix with that action’s expansion text and apply its rules. Four
equivalent forms: <code>ACTION_NAME :: &lt;rest&gt;</code>,
<code>PREFIX::ACTION_NAME :: &lt;rest&gt;</code>,
<code>/ACTION_NAME &lt;rest&gt;</code>,
<code>/PREFIX::ACTION_NAME &lt;rest&gt;</code>. An unknown token that
matches the grammar shape but is NOT registered is NEVER silently
expanded — ask which registered action was meant or treat as a literal
prompt. The registered action BACKGROUND expands to executing the prompt
in background in parallel with all main work streams using
subagents-driven development with rock-solid physical evidence.
Propagation gate <code>CM-COVENANT-114-140-PROPAGATION</code> (literal
<code>11.4.140</code>). Non-compliance is a release blocker.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.140.</p>
<p><strong>§11.4.141 — Token-efficiency mandate (cascaded from
constitution submodule §11.4.141).</strong> Every project worked on by
AI coding agents MUST cut token spend toward 30–40% of current (a 60–70%
reduction) WITHOUT degrading quality/performance/safety or breaking any
existing mechanism, via: prompt-cache the static governance prefix;
subagent model-tiering + output-to-file; thin always-loaded INDEX +
on-demand detail; CodeGraph/retrieval-first; output-token reduction;
tool-call batching + no re-reads; compaction/context-editing for long
sessions. A mandatory measured proof harness verifies the reduction from
the authoritative <code>usage</code> object. Propagation gate
<code>CM-COVENANT-114-141-PROPAGATION</code> (literal
<code>11.4.141</code>). Non-compliance is a release blocker.
<strong>Canonical authority:</strong> constitution submodule
<code>Constitution.md</code> §11.4.141.</p>
</body>
</html>